Tarun Wadhwa is a writer, researcher, and entrepreneur working at the intersection of technology and public policy.

You would think that it would be a terrible idea for a company accused of helping teenagers send each other sexually explicit images to feature bikini-clad young girls in their marketing. Most would avoid such direct associations, for good reason – it’s immature, and edgy when it doesn’t need to be.

But not the makers of the enormously popular app, Snapchat, which allows people to send images and videos that “self-destruct” after a few seconds.

The company claims messages are deleted once they are opened, but there have been a series of recent scandals showing that this may not be completely accurate.  Their product is far from perfect, and there are several ways to compromise the protection they offer.  It is never a good idea to send something over the internet that would damage you or your reputation if it became public.  While this may be common sense, it has little to do with how we actually act online.

The makers of Snapchat are right to reject the “sexting app” label — it’s not clear that this is what it is even being used for, and everyone deserves the option to communicate privately when they want, without automatically being branded as a pervert.

Within a few months of launching, the company has made an enormous and lasting impact on the culture of communication on the Internet, and we should all be grateful.

They have simplified a security process enough to the point that anybody can use it, while validating the market of the next generation of privacy-preserving ephemeral communication.  Most importantly, we may finally get a break from the forced permanence of the Facebook and Google world, where everything you do and share is a data point to be monetized and re-sold to the highest bidder.

And Snapchat isn’t even the best product out there — there’s a whole slew of communication tools that are more secure and functional making their way into the public eye.

One of those is Wickr, created by RSA veteran Nico Sell, a more serious security-focused app that uses “military-grade” encryption to send text, video, voice, and document files that can self-destruct after a given period of time.  Hospitals and law enforcement have expressed interest in a similarly functioning Android app, Gryphn.  Although it’s not “self-destructing,” keep an eye on the exciting and powerful suite of communication apps developed by encryption legend Phil Zimmermann’s Silent Circle company – they are not for “average” users, but they could provide enterprise and more serious clients a massive improvement in security.

What apps like these do is allow us a little bit more freedom to be ourselves, for better or worse.

In the copycat world of Silicon Valley startups and funding, expect to see a lot more “Snapchat for _____” type companies.  Finally, the lack of app creativity may work in the favor of consumers.  We have accepted the notion that what you do on the internet is permanent – a statement that is partially a truthful observation, and partially a threatening promise from the companies and entrepreneurs who are making it a reality – but it doesn’t have to be that way for everything.

Perhaps the greatest impact of this rising industry will be when the giants try to co-opt them, as Facebook attempted with Poke.  The issue of trust in these companies aside, it would be a winning situation for everyone for ephemeral features to be built into the services we already use.

We need more human-behavior-friendly default settings.

Privacy is complicated, and nothing is ever completely secure.  Nobody is immune from this, as Nicholas Weaver wrote in Wired, “even the head of the CIA can’t email his mistress without being identified by the FBI.”  But in the billions of messages already sent through Snapchat are a few people who didn’t have their lives ruined because of something they shouldn’t have shared.

The media can continue to ridicule the “sexting app” that so many young people are using, but they are entirely missing the point.  The same generation being blamed for the supposed “death of privacy” has become wiser than those who are criticizing them.

In a candid admission at the Milken Conference this year, former UK Prime Minister Tony Blair, when recalling his college days playing in a band, told the audience, “thank God social media didn’t exist then, because if it did, I wouldn’t be here.”  The Internet wasn’t built with security in mind, and we’re still dealing with the consequences of that.  The next generations are going to be the ones who pay the true cost of the design decisions we make today.

Tarun Wadhwa is a writer, researcher, and entrepreneur working at the intersection of technology and public policy. You can follow him on Twitter – @twadhwa – or contact him directly at VB@tarunwadhwa.com. Also, check out his upcoming book, Identified, which will be out later this year. 

Image credit: Shutterstock/Shocked man

Web security firm AVG has already demonstrated its dedication to user privacy by adding Do Not Track capabilities to its software. Now it appears to be doubling down on that with the purchase of small web privacy firm PrivacyChoice.

PrivacyChoice was founded in 2009 offers one flagship product — a powerful browser extension called Privacyfix that analyzes your activity on sites like Facebook, LinkedIn, and Google and shows you how exposed your information is. For example, PrivacyFix analyzed my Facebook info and found that my exposure to Graph Search is quite high and that Facebook tracks my activity on 89 percent of sites I regularly visit. (Yes, this freaks me a out a little.)

“Since founding, our mission has been to deliver more effective and more informed choices about how your data is collected, used, and shared,” PrivacyChoice founder Jim Brock said in a statement. “We saw strong synergies between our approach and the efforts AVG continues to make in empowering people when it comes to their online privacy.”

Privacyfix is currently available for Google Chrome and Mozilla Firefox, but it will soon be available for Internet Explorer as well. AVG also promises that Privacyfix will come to iOS and Android phones and tablets some time “this year.”

The terms of the deal were not disclosed. Brock will become Vice President of Privacy Products for AVG along with the acquisition.

Check out an example of the Privacyfix dashboard below:

Privacy sign via rpongsaj/Flickr

According to a test by Ars Technica, Microsoft is intercepting, decrypting, and reading at least some Skype messages — to the point where URLs embedded in Skype chat are being visited by machines at IP addresses belonging to Microsoft … most likely a bot, but potentially a human being.

“And this can only happen,” Ars’ security expert Dan Goodin writes, “If Microsoft can convert the messages into human-readable form at will.”

Skype currently uses 256-bit AES encryption to secure communications between users, which is considered very secure. Secure, perhaps, but not necessarily private. When Ars sent messages via Skype containing four web links created specifically for this experiment, two of them were accessed by a Microsoft-controlled machine.

Skype’s privacy policy openly states that Skype may check instant messages and SMS texts for spam, fraud, or phishing attempts, and, in some cases, have a human being check them. Ergo, we can decrypt our own encryptions and can know what you say and know what you send.

Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links. In limited instances, Skype may capture and manually review instant messages or SMS in connection with Spam prevention efforts. Skype may, in its sole discretion, block or prevent delivery of suspected Spam, and remove suspicious links from messages.

That’s not good if you have an expectation of and desire for privacy. And now that it’s obvious that Microsoft itself can read your private messages, the question is, who else has that ability?

Almost a year ago, the FBI requested private backdoor access into multiple communication and social networks, including Facebook, Twitter, and, yes, Skype. Wiretaps are increasingly useless, the FBI realized, and modern communications were defeating the bureau’s attempts at surveillance. Whether the requested access was ever granted is unclear, but Microsoft has a patent on ways to make it happen.

And Skype’s terms of use also say the company can route your communications to law enforcement agencies:

Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone’s rights, property, or safety.

However, if you want more security — and privacy — on Skype, you can have it. You simply have to pre-encrpt any messages (as a Polish professor discovered) and then decrypt them on the receiving end.

I won’t do that, and most Skype users won’t do that, probably because we’re not discussing matters of national security or engaging in nefarious behavior. But it’s disappointing, if only the cold slap of reality in a dangerous and violent world, that private isn’t really private any more.

And it would be nice to know the exact limits of Skype privacy and security.

I have talked to a Microsoft representative about this story and am awaiting a statement or comment from the company.

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Bang With Friends’ newborn iPhone app no longer appears in the Apple App Store, leaving “down to bang” iPhone users wondering why.

The company’s chief executive Colin Hodge told Valleywag that the app recently passed over one million users, but it’s been removed from the store.

Bang With Friends matches you up with people in your network who are, well, interested in having the sex. You sign up for Bang With Friends using your Facebook account. The “service” will only match you up with those willing to service you; otherwise, your activity remains anonymous.

The company only launched its iOS and Android apps last week, bringing the action off the computer and into the mobile world. You’re now able to find out if someone wants you when you’re on the go, but not if you’re an iPhone user, evidently.

It might not be the subject matter that’s giving Apple pause. If the company found Bang With Friends violating any privacy guidelines, or taking data in a way that Apple doesn’t approve of, it would pull the app. We’ve reached out to both Apple and Bang With Friends to figure out what is behind this removal and will update the post upon hearing back.

BangWithFriends’ website only offers that it will “be right back” and is trying to work with Apple to restore the app.

It was also recently uncovered that you can discover just which of your friends use the app on Facebook. All you need to do is type a special URL into your address bar and it will call up all of your friends who match a certain app identification number. This goes against what Bang With Friends claims, which is that your use of the app will remain anonymous.

via Valleywag; Bang With Friends image via Bang With Friends

It seems privacy issues related to Google Glass are drawing government attention. A committee in the U.S. Congressional Privacy Caucus sent a letter to Google chief executive Larry Page asking just how the company plans to protect both people wearing the device and the people it records.

The group was particularly interested in the idea that Google Glass can use facial recognition to deliver a wearer information about the people nearby. Mostly, the caucus wanted to know if this facial recognition can be turned off or opted out of by a specific person.

The committee also brought up Google’s past with privacy issues, including the recently settled case where Google collected data from unsecured Wi-Fi networks as a part of its Street View project. Google agreed to pay a $7 million fine as a result of that lawsuit, though it has obviously left the U.S. government wary of Google’s privacy protections.

The letter was signed by eight of the Privacy Caucus’ members, and was led by Rep. Joe Barton (R-TX).

As All Things D notes, Google Glass product director Steve Lee explained that privacy and “social implications … of Glass, of people wearing Glass, has been at the top of our mind.” He went on to explain that Google will likely not deviate from the current privacy policy it has set up — another concern of the Privacy Caucus.

Letter to Google from Congress privacy group regarding Google Glass privacy

via All Things D; Google Glass image via Jolie O’Dell/VentureBeat

After flying a drone “a few feet away” from a family home in Seattle, one man claims he was doing research well within his legal rights. The camera-clad drone, however, spiked justified concerns about the privacy of the family who lives there.

A woman in Seattle explained to the Capitol Hill Seattle Blog (CHS) that she heard a buzzing noise outside her home that she assumed was a weed-whacker. Instead, it turned out to be a flying drone with an attached camera, hovering near her third-story window. She spotted a man on the sidewalk outside of the house controlling the drone. Her husband did what any normal person would do: he asked the man to cut it out, but he refused saying it was within the law to fly the drone and that he was conducting research. The couple subsequently called the police, who decided not to come once as the man decided to leave the area.

“We are extremely concerned, as he could very easily be a criminal who plans to break into our house or a peeping-tom,” she said, according to CHS.

The Atlantic points out that a 1946 Supreme Court ruling considers all airspace to be a public highway. But airspace or not, I assume you can’t take pictures of someone’s home through their windows without permission. If someone had a very long stick with a camera at the end and held it over your fence, you’d likely not consider that legal either. It’s yet another example of the dire situation we’re in trying to keep legislation up with technology.

Commenters on the CHS blog post speculate that the drone could have been used by a local paper’s reporters to demonstrate how “useless” they are. Others suggest it could have just been a weirdo.

Drone image via Don McCullough/Flickr

That’s going back to the future, according to Monetate: going back to a time when all commerce was personal.

But there is a yin and a yang here.

While we may want personalized experiences, and we want websites to be smart — to know us, essentially, and act as an intelligent, solicitous person might — privacy is part of the picture. A good third of us don’t want our website activity tracked, and a quarter of us don’t want the websites we shop to personalize our experience at all.

Monetate has four tips for online retailers:

1. Use marketing automation technology and big data to assist with personalization
2. Target segments with relevant content based on what you know about them
3. Don’t think of channels, think of customers first
4. Be in it for the long haul, not the quick win

All the data, in visual form:

photo credit: crsan via photopin cc

The White House has reportedly created the position of Chief Privacy Officer and tapped Twitter legal director Nicole Wong to fill it.

Twitter hired Wong in November 2012, only a few months after it first released its Transparency Report — a list of government take-down requests that often highlights privacy and censorship issues in the industry. The company often has to deal with these issues as its user data is often desired in court cases and other situation.

She will work alongside the current chief technology officer under the Obama Administration Todd Park. Park is rightfully focused on the security and privacy industry and user data becomes more accessible and valuable to others both in and outside of the Unisted States.

Todd succeeds the country’s first CTO Aneesh Chopra, also appointed by President Obama.

Wong is also an interesting pick because she knows the ins and outs of how big technology companies like to use that data themselves. She’ll bring what seems like a rounded experience and knowledge of U.S. law to the White House tech team.

Wong previously worked at Google, which is also known for its transparency reports. She spent time choosing between which take-own requests requests to fulfill and which to throw out.

via CNET; Nicole Wong image via Twitter

West Virginia legislators, led by Gary G. Howell (R), hoped to ban motorists from using Google Glass while driving in March. And as it has been revealed that Glass wearers could take a picture just by winking, pundits talk about Google Glass creeping them out, bars that no Glass-wearing geek would enter start banning Google’s wearable computer, and Las Vegas casinos have declared the device persona non grata. Pit bosses, apparently, have cold sweats about poker games being recorded and transmitted and players getting relayed instructions via Glass’ built-in bone subduction speakers.

Really, you wouldn’t have thought a proposal to Borg the entire human species would have met with such resistance.

Seriously, however, almost any individual thing Glass does now has been possible in the past.

Source: Steve Mann

Steve Mann’s computer-assisted vision system.

Memoto, the camera that hangs around your neck and takes a picture every 30 seconds, blew through its Kickstarter campaign goal by a factor of 10. It’s tiny, unobtrusive, and has no on-off switch — a voyeur’s delight in public bathrooms, pools, and who knows where else. Head-mounted cameras are nothing new.

Motorola Solutions — the part of Motorola that Google doesn’t own — demoed its wearable computing and head-mounted mobile computer to our own Dean Takahashi last year. And glasses with cameras are available from multiple manufacturers.

It’s probably the full-meal-deal package that Glass presents that is the problem — and the fact that it houses all of its startling capability in probably the first somewhat attractive device which someone not on the Star Trek convention scene might actually wear.

We’ve already seen the panic and anger that always-potentially-on technology can cause when Steve Mann, who wears a computer vision system, was assaulted in a Paris McDonald’s for failing to take the device off, even though it is permanently attached to his head. Glass promises to ignite that same fear, worry, and concern over privacy, multiplied by millions of potential wearers.

“Welcome to a world through Glass,” Google says in its introduction to what Glass does. “Record what you see. Hands-free. Even share what you see. Live.”

There’s no doubt that Glass is awesome, cool, and empowering, but every power that an individual gains is a power that might infringe on others … and a power that governments tend to want to control.

“This is just the beginning,” Los Angeles privacy lawyer Timothy Toohey told the NY Times. “Google Glass is going to cause quite a brawl.”

photo credit: Dunechaser via photopin cc

Consumer antivirus maker Avast has acquired Secure.me, a Facebook-focused personal security startup.

“I am overwhelmed that our vision has reached its destination,” wrote Secure.me cofounder Mario Grobholz on the company blog. “The deal with Avast is the most crucial milestone in our company’s history.”

Secure.me launched in November 2011 as a way parents could keep their eyes on their offsprings’ Facebook activity, including outgoing and incoming messages, wall posts, and status updates.

Secure.me also searches for preset or user-created search terms, sending notifications when the terms pop up in Facebook content. And its photo recognition technology keeps a virtual eye out for pictures with specific people in them, whether or not that person has been tagged in the photo.

Then, last fall, the company launched App Advisor, a program to protect all Facebook users — not just kids — from third-party applications in the mood for personal data.

But with mixed business success and no immediate opportunities to take investment, the Secure.me team started looking around for other opportunities. Grobholz said his team will continue to focus on personal data security at Avast.

Avast was founded in Prague in 1988 by researchers Pavel Baudiš and Eduard Kučera. The terms of the acquisition were not immediately disclosed.

If Google is trying to make Glass as creepy as possible, it’s sure doing a good job.

According to code found in the MyGlass companion app by Reddit user fodawim, Google Glass could allow users to take photos just by winking.

Which should, of course, horrify you.

Google Glass is stepping up the creep factor.

While the prevalence of smartphones nowadays means that you’re only seconds away from having your photo taken and thrown on the web, Glass takes that a step further: Creeps wouldn’t even have to take their phone out to photograph you — they can just wink at you (with all the salacious undertones that said winking implies).

That ease of photo taking makes me wonder whether Glass will come with a built-in shutter sound to notify people when it’s snapping photos. Unwanted photography is such a significant issue for smartphone owners in countries like South Korea that  handset makers are forced to equip their devices with shutter sounds that users can’t turn off. And I fully expect Glass will be greeted with a similar feature — at least for the sake of non-Glass owners of the world.

Alongside the photograph-by-winking functionality, Glass could also let users zoom in on webpages by doing a smartphone-like pinch motion and put Glass to sleep by turning their heads in a certain direction.

Photo: Flickr/mariachily

Instead of buying digital goods, we are increasingly exchanging them for our personal information, such as our names, email addresses, browsing preferences, location and much more.  There is absolutely nothing wrong with this model but the long term viability of it depends on all parties coming together to ensure transparency across the value-exchange.

That’s why MEF has recently launched its Global Privacy Report to investigate levels of awareness as to what user data is captured and whether or not this affects consumer behavior.

The study was far reaching with over 9,500 respondents across ten countries.  What emerged is a fundamental disconnect between the assumptions we as an industry make about consumers and what they actually think.

Freemium content or ad-funded services are based on a simple value exchange: you get a useful app for free or next to nothing and in return the app provider collects your user data to monetize it in some way.  That’s why when you boot up an app you are often met with some form of request about sharing your location or other data.  

For the consumer the request it can appear totally unrelated to the function of the app – for example, why would a spirit level app need to know where you are?

Moreover, consumers are increasingly aware that if they can purchase mobile versions of console games for free or next to nothing (when its console edition costs a hundred times as much) then its likely that something else is going on.

This is the hallmark of the app economy.

Interestingly, the report found that 70 per cent of consumers say  it’s important to them to know exactly what data an app is collecting and what data is being shared.  Nearly half say that it’s very important.  This says very clearly that consumers understand the impact of apps on their privacy and importantly that they want to have some control.   

Secondly, the wake-up call to app developers should be that that only 37 per cent of consumers are comfortable sharing information.  33 per cent are not at all comfortable. That means either 33 per cent of all consumers are avoiding apps because they don’t trust them, or they are happily downloading and using apps unaware that they are sharing their personal information.

Neither of these scenarios is good, but the second is much worse.

It means that at some stage it is likely that there will be a backlash. Consumer trust is a company’s most valuable asset and not easily regained whether or not app providers clean up their act and become more transparent.

Building consumer trust is critical to growing a sustainable business in a market where thousands of apps jostle for space.  As an industry we have a limited window of opportunity to show consumers that we are capable of protecting their privacy by not taking their understanding of it for granted.  We have work to do to bring consumers with us on this journey into this information value-exchange that is equitable to all parties.

Some of the principles of trust are already established at a legislative level with privacy policies becoming mandatory in many territories. What’s missing is how developers and app stores introduce and build the asset of consumer trust into their day-to-day business, taking the practical steps to establish transparency in a consumer-friendly way.

It’s not uncommon for a privacy policy to be reached via a link that takes the consumer out of an app and on to the mobile web, interrupting the user experience.  Some apps also have privacy policies that run to 65 pages and we have to consider if this disclosure is constructed with the consumer in mind and would a consumer really read a lengthy policy in the immediacy of the mobile environment?

App providers don’t have the time to become privacy experts.

They need a simple, cost effective way of building best practice privacy disclosure into their development workflow in a way which puts the consumer at the centre of this process.  Clearly there is a need for tools which provide short form privacy policies that also execute in-app and explain privacy in plain English.

Consumers have told us that privacy is an issue for them and we can ill-afford not to listen.  MEF is working with our members to address this challenge with practical guidelines and new tools through its Global Privacy in Mobile Apps initiative.

Andrew is the global chairman of MEF, trade organisation representing the global mobile content and commerce industry. He is also the chief strategy officer at mobile payments business, mBlox. An industry veteran with more than 17 years experience at the mobile coal-face Andrew has championed countless mobile industry issues. He help found MEF in 2001 to support the mobile industry as it grows in to new geographies and new vertical markets.

Photo Credit: Szift/Flickr

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

You may not remember that time you jokingly asked Siri how to bury a body, but Apple sure does.

Apple holds on to Siri queries for up to two years after they’re asked, an Apple spokesperson tells Wired. After iPhone users ask Siri a question, that question gets analyzed and stored. Six months later, Apple anonymizes the data, but the company holds on to it indefinitely for “testing purposes.”

So everything you’ve ever asked Siri is being stored on Apple’s servers somewhere.

How about helping me delete my data?

Apple’s desire to hold on to Siri data is understandable. After all, every current Siri response only serves to make future Siri responses faster and more relevant. More, that data is powerful even without knowing who it came from.

The real problem, though, isn’t that Apple keeps the data — it’s that not so many people are aware that the storage is happening.

Apple’s privacy policy, for instance, doesn’t mention Siri at all, and the Siri FAQ makes no note of how long Apple stores user queries. Whether that oversight is intentional or not isn’t known, but Apple would certainly be wise to rectify it soon.

Fortunately, Apple says it automatically deletes your data if you decide to turn Siri off, which should be a welcome solace to the more privacy-obsessed iPhone users out there.

All of this, of course, should be vindication for IBM CIO Jeanette Horan, who told MIT’s Technology Review last year that her company bans Siri for the exact things we’re talking about here.

“We’re just extraordinarily conservative. It’s the nature of our business,” Horan said.

Perhaps every company should be as conservative as IBM is.

The Internal Revenue Service could be reading your emails without obtaining a warrant, according to a new document uncovered by a Freedom of Information Act request. In it, the IRS reveals that it still doesn’t believe people have a reasonable expectation of privacy in their emails.

Technically, emails are not yet protected by law under the Fourth Amendment, though a recent court case, U.S. v. Warshak, states differently. In this case, judges ruled that defendant Steven Warshak “enjoyed a reasonable expectation of privacy in his emails,” citing the Katz v. U.S. case that helped define what a search and seizure is under U.S. law.

Advocacy groups and Internet companies alike — including major email provider Google — all stand by that ruling. According to the American Civil Liberties Union, which made the FOIA request, the IRS’ Criminal Tax Division would rather seek out your emails using a subpoena.

Why does this enrage organizations like the ACLU? For some time now, advocacy groups have been pulling for a change to the Electronic Communications Privacy Act. The ACLU calls it “hopelessly outdated” — it was established in 1986, a time when telephone calls were a much more widespread way of communicating that emails. But nowadays emails are just as, if not more, prevalent than phone calls, and they include very personal information that people may consider “private.”

The ACLU notes that the ECPA only requires a warrant on emails that have been on an email provider’s servers for 180 days or less, but anything beyond that time frame and any message that has been opened does not require a warrant.

hat tip CNET; IRS money image via 401(K) 2013/Flickr

It’s easy to make fun of Burner, the disposable phone number app for iOS (and now Android).

The app’s premise — “disposable phone numbers when you need them” — understandably makes you think that this would be a great tool for bad guys doing bad things. But Ad Hoc Labs, the app’s creator, has stressed since the beginning that Burner isn’t meant for drug lords. It’s a privacy app.

See? Completely legit.

“Burner is an important tool for users to protect themselves by adding an extra layer of anonymity to their phones,” AD Hoc Labs CEO Greg Cohn said in a statement.

Consider online dating, perhaps, or even Craigslist selling. Burner could be used for crime, but the legal use cases far outnumber the illicit ones.

Oh, and as far as that Android app goes, it looks to function much like its iOS counterpart. The app, which is now free, comes with one free burner, which lives for five voice minutes or 15 texts. After that, users can buy credits, which can be used to extend their burners’ lifespans.

Alongside the Android app, Ad Hoc Labs is also updating the Burner iOS app, which now offers customizable voicemail greetings, improved notifications, and call history management.

As far as the criminal question goes, Ad Hoc Labs says that no law authorities have approached it for user information, but it would likely agree to any official subpoenas it receives.

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Whenever you install an app on your Android phone from Google Play, the app developer gets your name, email address, and neighborhood. Microsoft thinks that’s an egregious breach of consumer privacy, and it published a new video today on Scroogled that hits Google hard.

“Most app makers are trustworthy,” the ad says. “However, in the wrong hands, who knows what they’ll do with your info?”

The question is a valid one, and Microsoft is quick to mention that downloading and installing apps on Windows Phone does not result in personal information being shared. Apple’s app store handles purchases and downloads the same way, with purchasers’ names, email addresses, and detailed locations remaining private.

The difference appears to be that Google views its Play store as a marketplace rather than a store, in which you are purchasing from the developer, not specifically from Google. In other words, it’s eBay, not Amazon. I’ve asked Google for additional comment.

There’s no question that Microsoft’s attack is a little over the top, paired with a big scary question: “If you can’t trust Google’s app store, how can you trust them for anything?”

But there’s also no question that this is a privacy concern Google should address.

I’ve downloaded many apps from Google Play, and I’ve never once seen or noticed any notification that my personal information would be passed along to the app developers (which could entirely be due to my own lack of attention, or general click-through warnings behavior).

Consumer Watchdog has complained to the FTC about Google’s practice, saying:

“To no one’s surprise … Google has violated the Buzz Order yet again – and this time in a most substantive and egregious manner, by giving personal and closely held information from tens (if not hundreds) of millions of Android users to independent and unrestrained application developers, in contravention of Google’s own stated privacy policy … This represents the fifth significant misuse of confidential user data by Google in the last three years (previously, the “Wi-Spy” scandal, the Google Buzz fiasco, Google’s improper combining and use of personal data, and the Safari Hacking episode).”

I’ll update with Google’s response as I receive it.

IsAnybodyDown published galleries of nude photos, including identifying features, names, and cities.

Florida is one of the first states to take definitive action against revenge porn. The House subcommittee unanimously voted in favor of a bill that would make posting revenge porn a felony punishable by up to five years in prison and a $5,000 fine.

Despite the fact that revenge porn is a pervasive and alarming problem, the practice still exists in a legal grey area. Revenge porn refers to the act of ex-lovers uploading illicit photos to the Internet. The images are often accompanied by personal identification information, and done without the subject’s consent. This is not technically illegal because the photos may be considered the photographer’s intellectual property, and the line between invasion of privacy and free speech is a thin one. Furthermore, operators of these sites claim they are not responsible for user-submitted content due to the Communications Decency Act, and content is often submitted anonymously.

House Bill 787 “prohibits knowing use of [content] that depicts nudity and contains any of depicted individual’s personal identification information or counterfeit or fictitious information purporting to be such personal identification information, without first obtaining depicted person’s written consent.”

Victims can currently make claims against their harassers through civil channels, but this bill would make revenge porn a criminal act. It recognizes “contextual consent,” which means that while a person may allow photographing or filming in one context, they would not allow it in another. For example, a girlfriend who lets her boyfriend take a nude photo in the privacy of her home is not consenting to having that photo published on the Internet a year later with links to her social media profiles. Other provisions of the proposal include enhanced penalties for violations involving victims under 16 years of age and targets perpetrators who live outside of Florida but post content involving in-state residents.

However, some say the Bill is not specific enough. In an interview with Salon, Mary Anne Franks, a law professor at the University of Miami, said that while the recognition of “contextual consent” is good, the law is both too broad and too narrow. On the one hand, it applies to any image that depicts nudity, which could include someone standing next to a nude statute. On the other hand, the law is too narrow because it does “not apply to depictions of graphic sexual activity unless certain parts of the body are visible.” Franks cited a case where a man posted a picture of himself ejaculating on his sleeping girlfriend’s face, which does not violate the law.

Revenge porn and its criminalization have recieved national attention over the past week as a group of lawyers, bloggers, and activists work to bring down “IsAnybodyDown,” one of the most well-known revenge porn sites, which features photos of hundreds of people. In March, CBS Denver reported that the federal government may launch a formal investigation into the site after several underage victims filed copyright registration certificates in Colorado with intent to sue. These class action suits, while they can have an impact, are slow to move and do not have the immediacy of a criminal case. The man behind IsAnybodyDown, Craig Brittain, has twice closed down his site after coming under scrutiny and transferred the content to a new site to frustrate the authorities.

Revenge porn sites have existed for a decade, and yet little progress has been made to address the problem. San Francisco attorney Erica Johnstone told VentureBeat’s Christina Farr that when she first started handling cases like these, they were individual cases of an ex seeking revenge. Now, there are more examples of hacking and extortion, such as a scheme that charges victims hundreds of dollars to remove them from the site. Additionally, the rise of camera phones and sexting mean that people can be photographed without their knowledge.

The Florida bill provides an effective date of October 1, 2013. Representative Tom Goodson authored the bill, with support from the Brevard Country Chief’s Association, State Attorney Phil Archer, Attorney General Pam Bondi, and the Florida Sherrif’s Association. The bill followed a report of a young woman in Brevard County who had nude photos, her name, email address, and hometown posted without her consent, and when she went to the Sheriff’s department for help, was told it was not a crime.

Photo credit: Screenshot

Bloomberg broke the story and said that Google is the second company to fight back against NSLs. Challenges are rare — of 300,000 government-issued NSLs since 2000, only a handful of companies have resisted. The letters enables intelligence organizations to send secret requests to Web and telecom companies to gather data that is “relevant” to an investigation. They do not need a judge approval and come with a gag order, so people who receive the requests cannot talk about them.

Google filed a petition to “set aside the legal process,” citing a provision that enables judges to modify or deny NSLs that are “unreasonable, oppressive, or otherwise unlawful.” It is unknown why Google received the request, but in a blog post earlier this month, Google’s director of law enforcement and information security Richard Salgado said the company has been “trying to find a way to provide more information about the NSLs we get — particularly as people have voiced concerns about the increase in their use since 9/11,” and would include data about NSLs in their Transparency Report.

While civil rights groups aren’t always thrilled about how Internet companies use their customers’ private data, they are responding positively to Google’s stance against unwarranted government probes. The Electronic Frontier Foundations attorney Matt Zimmerman told Bloomberg “the people who are in the best position to challenge the practice are people like Google. So far no one has really stood up for their users.”

The FBI’s ability to issue NSLs was expanded under the Patriot Act. In 2007, the Justice Department found “serious misuse” of the FBI’s surveillance powers through its unlawful obtainment of information. Illston, Google, and others are taking steps to challenge the NSLs on the basis that they are “unreasonable, oppressive, and otherwise unlawful.”

Photo Credit: Cliff 1066/Flickr

California State Assemblymember Bonnie Lowenthal (D-Long Beach) has introduced the “Right to Know Act 2013,” which would force businesses to tell consumers what personal data they have and with whom they’re sharing. The bill follows lobbying efforts from privacy groups the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California.

“This bill would instead require any business that has a customer’s personal information, as defined, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all third parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer,” reads a portion of the act.

Privacy and data ownership is a hot-button issue within the tech community. Companies ranging from giants like Facebook and Google to small e-commerce startups gather information about user activity and sell them to data brokers or advertising networks to create better-targeted advertising. Many consumers are be uncertain of privacy policies, unaware that their behavior is being tracked, and/or are unsure how to prevent it.

In a blog post supporting the Right to Know Act, the EFF wrote: ”Let’s face it: Most of us have no idea how companies are gathering and sharing our personal data. Colossal data brokers are sucking up personal facts about Americans from sources they refuse to disclose. Digital giants like Facebook are teaming up with data brokers in unsettling new ways. Privacy policies for companies are difficult to read at best and can change in a heartbeat. And even savvy users are unlikely to fend off the snooping eyes of online trackers working to build profiles of our interests and web histories. … The new proposal brings California’s outdated transparency law into the digital age, making it possible for California consumers to request an accounting of all the ways their personal information is being trafficked.”

But “big data” means big money these days. Tech companies can use data to optimize their business strategies, create revenue streams, and attract advertisers (not to mention the lucrative companies that act as data brokers). Chances are the tech community won’t react kindly to this proposal. However, the EFF said that this bill is about transparency and access rather than restrictions, and it does not limit or restrict data sales. Google and Facebook have not yet responded to requests for comment.

The European Union has supported its citizens rights to submit a request to acquire data with its Data Protection Directive. In January 2012, the European Commission met with strong resistance after drafting the General Data Protection Regulation, which said all foreign companies processing data of EU residents had to comply with their regulations. Yesterday, data-protection authorities from Britan, Germany, France, Italy, Spain, and the Netherlands launched a joint action against Google after a five-month investigation which found that Google failed to give users information about how their personal data was being used across multiple platforms.

California has a long history of consumer protection laws, but the tech industry is an important part of state’s economy and has sway over legislative decisions. Do people have the right to “habeus data?” Or do businesses have the right to do what they want with the information users give them? Read A.B. 1291.

Photo Credit: http://www.asmdc.org/members/a70/photo-gallery

Europe sure does love its investigations.

When Google streamlined its privacy policy last year, it got the attention of regulators like France’s National Commission for Computing and Civil Liberties (CNIL), which investigated Google over the new policy and recommended some changes. (The biggest problem? Google gives users ”incomplete or approximate information” about what data it collects.)

Now, CNIL has finished its investigation and says that Google has failed to fix anything. As a result, the watchdog has recommended that member states of the EU start their own investigations into Google’s new privacy policy, all of which could result in some hefty fines for the company.

“It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation,” CNIL said.

The timing of the news is interesting, as Google yesterday confirmed that privacy director Alma Whitten is stepping down after three years on the job. As we pointed out then,Whitten’s tenure has been a tough one, and if the latest EU investigation is any indication, her successor, Lawrence You, won’t have it much easier.

Google, of course, is no stranger to either fines or investigations. As Google continues to grow, so, too does the opposition to how it handles user data. Mr. You has quite a job ahead of him.

Photo background: France/Shutterstock

Alma Whitten’s job as Google’s privacy director is not one that I would wish on my worst enemy.

When Whitten took the helm in 2010, Google was still dealing with the fallout from its Street View scandal, which is costing it over $7 million in fines. Whitten was also there as Google codified its 70-plus privacy polices into a single, controversial one last January.

Mr. You may not have that smile for too much longer, I’m afraid

Another big hit came last year, when Google was fined $22.5 million by the U.S. Federal Trade Commission over its illicit changes to Safari’s default security settings.

Now, three years after taking the job, Whitten is stepping down — and, surprisingly, someone’s already waiting to succeed her.

Taking her place is engineering director Lawrence You, an eight-year Google vet who has already worked with Whitten and the Google privacy team.

But You isn’t going to have a much better time than Whitten did.

One of the big concerns for him going forward will be Google Glass, and as it slowly creeps into release, it’s already raising all sorts of tough privacy questions.

Fortunately, unlike the London-based Whitten, You hails from Mountain View, which is home to the inventors of Glass and similarly troublesome inventions like Google’s self-driving cars. That should put him closer to the action — and the controversy.

Here’s what Google has to say about Whitten’s move.

During her 10 years at Google, Alma has done so much to improve our products and protect our users. The privacy and security teams, and everyone else at Google, will continue this hard work to ensure that our users’ data is kept safe and secure.

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

An update to Apple’s Find My Friends app expands on your friends’ ability to know when you arrive at a specific location without you knowing, according to Ars Technica.

The Find My Friends app lets you locate friends who have shared their location with you through the app. You not only can see where your friends are, but the app lets you set up notifications for when they enter and leave a specific location as well. In this latest update, Apple now lets you expand that “geofence” from just that location to a radius around that location as far out as you’d like.

Apple intended the app to be used as a way to find people you’re meeting at a concert or know if someone is running late to a dinner because they’re stuck in traffic. But we all know there’s a seedy underbelly of humans who might use this type of tool to disrupt people’s privacy.

As Ars Technica notes, Apple released the feature that allows you to choose a location and be alerted when a friend arrives at that location in September 2012. But now you can use the pinch-to-zoom feature to expand the radius of that location. For example, if you want to know every time your friend goes to the Ferry Building, you can expand that “circle” to know if they’ve even entered downtown San Francisco.

The update also now lets you search for locations to set up these geofenced alerts.

Of course, you can always stop sharing your location with a person if you feel they’re abusing the system, but it’s something to keep in mind regardless of how much your trust your contacts.

FindMyFriends image via Apple

Rachel Greenberg writes about residential and business VoIP solutions and technology for VoIPReview.org.

In mid-January, VoIP service provider VoIP-Pal successfully tested their new Lawful Intercept Technology. Labeled “LI” for short, VoIP-Pal’s intercept technology allows law enforcement agencies to tap into VoIP calls without either the calling or called party knowing. As VoIP gains more and more customers each year, it has become increasingly necessary for law enforcement officials to have access to the same kinds of security protocols with VoIP as they do with analog service.

After the successful test, VoIP-Pal received a patent from the US Patent Office for their LI Technology. Soon, the company will make their technology available to VoIP service providers, who will face growing insistence from the government to support LI access.

VoIP-Pal CEO Dennis Chang says “it is only a matter of time when it will become mandatory for all VoIP service providers.” However, now that law enforcement agencies have a new way to wiretap VoIP calls just like analog calls, the discussion continues over wiretapping regulations.

Why is VoIP wiretapping important?

Unlike traditional phone service, VoIP is much harder to wiretap because it isn’t directly tied to a physical location. Additionally, the voice data contained within a VoIP call can be encrypted in such a way that it is hard for law enforcement agencies to decipher a call.

VoIP also allows users to be mobile, giving them access to their VoIP service from anywhere in the world. As a result, law enforcement agencies struggle with adequately wiretapping VoIP calls. However, police groups need to be able to wiretap VoIP calls just as they need to wiretap any other call: when there is reasonable evidence of suspicious or unlawful activity, wiretapping can provide invaluable evidence.

How has wiretapping changed?

Wiretapping with traditional phone service dates back to the late 1800s, and the earliest days of the telephone. During the Prohibition Era, law enforcement organizations used wiretapping evidence to convict known bootleggers by recording their phone conversations. Wiretapping became a useful tool against organized crime, as long as it was used within the confines of the law (that is, there was sufficient evidence to necessitate the privacy violation associated with wiretapping).

At times, wiretapping was abused by law enforcement, though, and so laws have been put in place to ensure only legal wiretapping, sometimes called lawful interception, takes place. These laws require law enforcement agencies find just cause before presenting their lawful interception request to a judge. The judge will then issue a court order for lawful interception. Then, and only then, is law enforcement authorized for wiretapping.

Currently, police have to go through this same process before wiretapping a VoIP call, but it could be technologically difficult to tap into the conversation. With VoIP-Pal’s patent, system barriers should no longer prevent police from successfully tapping VoIP calls.

What Does This Mean for VoIP?

With LI services ready to launch, it could soon become equally easy to wiretap a VoIP call as any analog call. However, residential and business VoIP customers should expect no changes in their regular VoIP service. This technology will just prevent criminals from using VoIP services to circumvent the risk of wiretapping.

That said, wiretapping is still in a grey area for law enforcement agencies. Since VoIP sends voice data over the Internet, it’s harder to classify as a traditional phone service, which means laws will need to reflect the technological differences in the system. Although there are strict rules involving wiretapping traditional phone service, regulations surrounding newer communication services (i.e. text messages and emails) are a little less clear.

Many law enforcement agencies can access email and text correspondence without jumping through as many hoops as they do with wiretapping phones. Will VoIP fall under the same jurisdiction as text messages and emails, or will it be treated like traditional phone service? That’s a question the government will need to answer in the next year or so.

Eavesdropping photo via Everett Collection/Shutterstock

Rachel Greenberg writes about residential and business VoIP solutions and technology for VoIPReview.org.

From personal experience I know bugfixing can be like putting up wallpaper: smooth down one air bubble, only to watch it pop up again in another place. Which apparently is exactly what Apple is doing recently with its iPhone operating system, iOS.

Exactly one day after Apple released iOS 6.1.3 to squash two lock screen bugs, another one has emerged:

This new flaw only affects iPhone 4, apparently, so it is less severe. However, it does allow access to your address book and stored photos, without having to punch in your security code. For many, that might not be horrible, but it certainly is private information … even if you don’t have any personal photos from a special someone on your device.

This has got to be getting a little old for Apple, and I can only imagine how Steve Jobs would react to yet another lock screen bug appearing just hours after Apple’s latest bugfix. Even though this might be a fairly minor security hole that requires physical access to the device, Apple’s reputation for quality is at stake.

And, it’s no small thing to update hundreds of millions of mobile devices, each requiring user intervention for system updates.

photo credit: Travis S. via photopin cc

Hat tip: Cult of Mac

BREAKING: Weev sentenced to 41 months followed by three years of supervised release.

— Tim Pool (@Timcast) March 18, 2013

Just moments before sentencing, Auernheimer (also known as Weev), was cuffed by court officers in a struggle over his tablet and phone. Auernheimer, who was not permitted to use computers with keyboards, was asked to surrender his devices, but tried to hand them to his lawyer.

“It looks like Andew got slammed into a desk by federal agents while trying to hand his phone to his lawyer after the court asked for his phone,” his publicist told me via email.

Auernheimer is, by all accounts, a controversial figure, which became abundantly clear in a Reddit AMA (ask me anything) conducted yesterday.

He’s a founder of GNAA (Gay N*iggers Association of America), a group that probably has no actual gay or black members and seems, much as many other online trolling groups, to be devoted to causing as much online damage and destruction as possible. He’s also a member of Goatse Security, a grey-hat organization that focuses on finding and exploiting computer and website vulnerabilities. And he has done things online that most of us would consider morally reprehensible and ugly, if not precisely illegal, such as taking a leading role in the massive online harassment that caused usability expert Kathy Sierra to abandon the Internet.

But the specific charges that he was convicted of and has now been sentenced for seem tame by comparison. Essentially, he queried a public server with exactly the same kind of request your browser sent to the servers that run this website, aggregated the results, and sent them to a news agency, Gawker.

Auernheimer got a harder sentence than the #Steubenville rapists. One journalist equated the prosecution of hackers to the Red Scare.

— Tim Pool (@Timcast) March 18, 2013

The charges were based on the same law that federal prosecutors used against Matthew Keys, Aaron Swartz, and Stephen Watt: the Computer Fraud and Abuse Act, which opponents have decried as vague and Swartz’s lawyers have said was misused by federal prosecutors to overly-aggressively pursue Swartz, who ended up committing suicide.

Auernheimer knows he is not exactly a lovable figure.

“I’m a nutjob from Arkansas,” he told me yesterday. “That’s any sane person’s perspective.”

But the question today is whether his exact actions in the AT&T case were illegal. And if they were, how many other actions of ordinary Americans are now being criminalized?

Auernheimer told me yesterday that he already plans to appeal the sentence, and the EFF is helping with the appeal.

photo credit: Funky64 (www.lucarossato.com) via photopin cc

Tomorrow, he’s likely going to jail.

“It’s a fucking ludicrous charge,” Auernheimer told me this morning from New Jersey. “The FBI has tried to frame me for terrorism five times, and by their own admission they’ve been surveilling me since I was 15 years old.”

Update: Auernheimer was sentenced to 3 years in jail and $73,000 in fines

But tomorrow he expects to go to jail. In preparation, he and supporters have rented a 10,000 square foot hall where they’ll party the night away in perhaps his last taste of freedom for 10 years.

If he does go to jail, it’ll be the latest chapter in a long list of federal prosecutions of computer “crimes” by hackers who are forcing mainstream society to reconsider what freedom of speech means online, what is an appropriate response to a corporation’s poor security, and what kinds of access constitute crimes. That list includes Aaron Swartz, who committed suicide after what many have said was DOJ misconduct.

The story starts with a boneheaded AT&T decision.

During the summer of 2010, Auernheimer and co-defendant Danile Spitler discovered that by querying AT&T’s iPad servers with a string of numbers that matched subscribers’ SIM card identifiers, AT&T’s servers would send back the unencrypted, unprotected email address of the AT&T customer, the iPad owner. AT&T had a massive security design flaw, which, as it admitted in Auernheimer’s one-week trial, was intentional: for subscriber convenience. After running the script to capture 114,000 email addresses of AT&T iPad subscribers, Auernheimer sent a list of the email addresses to Gawker to highlight the security hole. Gawker then printed them in redacted form.

“If you buy an Apple product, you have a right to know that Apple partners could compromise your privacy,” Auernheimer told me, explaining why he sent the email addresses. “And that they take six months to patch security issues.”

So there’s obviously a security issue. And there’s obviously a privacy issue. But where’s the crime?

“We sent Get requests to a public API,” Auernheimer says. “They charged me with unauthorized access to a computerized device … and identity theft, which is a possession charge … if you walk down a street and write down physical addresses, you’re stealing identifiers, and you’re an identify thief.”

If sending Get requests is a crime, we are all criminals.

You could be charged with unauthorized access to a computerized device, for instance, simply because you clicked on the link that brought you to this article. Oh, and Google, one of the most successful corporations in the world, is the root of all evil. A Get request is simply a note from a browser computer code asking for a resource. You issue thousands of them every day all by yourself. Google issues billions.

Whether the receiving server responds to that request in any way, shape, or form is entirely at the discretion of the developers and system administrators who control that server.

The CFAA does not define the phrase “unauthorized access,” so according to Auernheimer, the government essentially told the jury that his access to the server was unauthorized because they said it was. Which, if true, means that whether you commit a legal act or an illegal act is at the discretion of anyone who runs a webserver, who can change their mind at any time without you knowing.

Good luck following the straight and narrow.

After a one-week trial, a jury found Auernheimer guilty on November 20 after just a few hours of debate. Auernheimer told me that his friend overheard “vicious arguing and screaming” in the jury room, so there was some serious debate, but there was a potential reason to be fast, and maybe even hasty.

“The trial was right before Thanksgiving … I think people wanted to get the hell out of there and get to Thanksgiving,” Auernheimer said.

Tonight he’s awaiting sentencing, which could be up to 10 years in jail and up to $500,000 in fines. And he’s not too hopeful that the judge will go easy on him.

“I’m probably going to prison, and they may take me into custody immediately,” Auernheimer told me. “But I have an excellent chance on appeal … any sane examination of the CFAA at this point is going to realize that it criminalizes all web access.”

The Electronic Frontier Foundation has already agreed to help him with that appeal.

A judge ruled today that the government cannot assign gag-orders to national security letters (NSL) — the requests for data and other information that the U.S. government uses to get details on about specific people in the name of national security.

Judge Susan Illston made the call today, saying the gag-orders associated with such letters impede freedom of speech, and that the letters are overall unconstitutional. The judgement came after a telecommunications company challenged one of these orders, saying it wanted to go public with the fact that the government was requesting information. The company, which remains unnamed, was represented by the Electronic Frontier Foundation (EFF).

This is a big step for many who think these letters result in too much secrecy around government surveillance and give agencies like the FBI the ability to hide behind a curtain. Companies like Google and Facebook create transparency reports showing government data requests from around the world, but have not been able to include information about national security letters because of their nature.

“The government’s gags have truncated the public debate on these controversial surveillance tools. Our client looks forward to the day when it can publicly discuss its experience,” said Matt Zimmerman, the senior staff attorney for the EFF, in a statement.

The judge is giving the U.S. government a grace-period of 90 days to allow them to appeal the decision.

Many have already taken to Twitter in support of the decision. Researcher Jacob Appelbaum tweeted, “I look forward to the court order that ensures all current and past people targeted by FBI NSLs are notified and encouraged to file suit.”

hat tip Wired; FBI image via cliff1066™/Flickr

If you’re doing something illegal/regrettable/potentially damaging, it’s probably best not to do it using your company email address.

That’s always been sage advice, but it’s being hammered home with the latest controversy coming out of Harvard University.

Last fall, Harvard said nearly half of those enrolled in a 275-student class had cheated on a take-home exam in Spring 2012. Soon after, someone at Harvard leaked to the press an email detailing how faculty members should advise students charged with cheating. That was a big no-no.

To figure out the source of the leak, Harvard went digital and scanned the email accounts of 16 of its resident deans, reports the Boston Globe.

While that’s bad enough, what makes it worse is that Harvard only informed those affected last week– months after the scans occurred.

Harvard’s defense? It’s all about protecting its students. Says Harvard Faculty of Arts and Sciences dean Michael D. Smith:

If circumstances were to arise that gave reason to believe that the Administrative Board process might have been compromised, then Harvard College would take all necessary and appropriate actions under our procedures to safeguard the integrity of that process, which is designed to protect the rights of our students to privacy and due process.

In spite of the scans, the university still hasn’t charged anyone with wrongdoing, which likely means it couldn’t figure out where the leak came from. Either way, Harvard’s biggest concern going forward will be dealing with the questions of whether the scan violated its electronic privacy policy, which mandates that faculty be notified in advance if their email accounts are searched.

Harvard Computer Science Professor Harry Lewis chimed in on the story in his personal blog:

This seems to me a sad incident which raises many questions. If an employee’s boss wants to spy on her, who has to sign off on it and how does it get done? How many such searches have been done over the past five years? Is it always done without informing the target? Have the targets generally been people like these resident deans — people with both teaching and administrative appointments?

Lewis doesn’t know the full story, but the situation has forced him to consider moving all of his personal email to his non-Harvard email address. And I suspect he’s soon to have lots of company.

Photo: mararie/Flickr

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

While IT departments are freaking out about the new devices entering their offices, parents are having a very similar freak out when children bring home those shiny tablets and smartphones. Qustodio, which creates software to help parents keep an eye on their kids’ online behavior, raised $1 million in a seed round of funding today.

The round was led by W8 Ventures.

Spain-based Qustodio created the product, keep in mind that families have “more connected devices than the average small business did five years ago.” It prides itself on giving parents control over what apps can be used on those devices, how much time is spent on the device as well as set up rules around device usage.

Children may be unhappy to discover that Qustodio also lets parents watch what they’re doing specifically on Facebook and other social networking sites. Parents can monitor Facebook chats and searches as well as view browsing histories and which applications have been opened in a given session.

There is one dashboard that parents can use to control all of these devices, which may include tablets, smartphones, and home computers per child. It is currently only available on Windows and Android, but the company says it will soon release a version for Mac.

Qustodio is based in Barcelona and was founded in 2012.

Parent child devices image via Shutterstock

This guest post is by Piyush Bhatnagar

[Our post on a startup called Outbox launching its new system of mail delivery in San Francisco received a good deal of interest from readers. This is one reader's response.]

Innovation is the engine of America’s economic growth. Entrepreneurs are coming up with radical new ideas every day, and new startups create new products, services, and business models. Some of these ideas will change the way do things today. So let’s take a look at one such company that is attempting to change the way we think about the mail.

Outbox launched in San Francisco on Feb 26th, 2013. The company was founded in 2011 in Austin with a goal to provide an alternative to the old system of mail delivery. Outbox’s team of “Unpostmen” will collect your mail three times a week, bring it to a warehouse, digitize it and provide you access to it through web or mobile devices. They will also discard your junk mail, which in my opinion is a huge service in its own right.

Outbox will do all this for a small sum of $5 a month, so you will never have to visit your postal mailbox again. They will also deliver you a package, in a fancy Prius, if you request your original mail from an iPad or smartphone within 30 days on its receipt. After 60 days, your physical mail will be discarded and shredded so you wont have to worry about old mail sitting in some warehouse. Outbox uses strong 512-bit encryption, and prevents digitized mail from falling into the hands of someone other than the intended recipient.

The company has already raised $2.2 million from Floodgate Fund and angel investors, including Peter Thiel. However, there are others in this space who are working on making your physical mailbox obsolete.

I can appreciate the process of innovation and respect anyone who tries to create something new. But Outbox does raise a number of questions as well.

Privacy issues

Despite their innovative take on “old style” mail, one word sums up the problems with Outbox’s approach, and that’s privacy.

Outbox employees will open every mail or package that I receive, and digitize it. According to Outbox’s FAQ, their operations specialists use their custom built machines to open, lay out, and photograph your physical mail. These files are then optimized and processed digitally, and then delivered to your digital account. They also state that all “Unpostmen” –and anyone at Outbox who interfaces with your mail — go through a stronger background check than U.S. Postal Service workers go through, giving the the best trained and highest rated workforce.

Typical mail may include checks, personal information, private communication, legal documents, and many such things. In traditional system, even though USPS/FEDEX/UPS staff handles your mail, it is sealed by the sender and opened only by you.

Identity theft and mail fraud

In Outbox’s model, someone other than the recipient opens every piece of mail. Outbox states that they have strict policy and technical controls in place, including prohibiting employee’s access to critical documents (except in rare cases.) In addition, Outbox states that it is insured up to $1 million against identity theft.

Despite Outbox’s assurances that it is making sure you and your accounts are safe, there is a distinct possibility of identity theft. Just the fact that the mail needs to be opened physically and maintained in a warehouse for up to 60 days provides a window of opportunity to identity thieves and fraudsters. There are liability issues related to someone else opening mail and a problem of accountability. Who is responsible for a lost mail or documents? That is still not clear.

How will Outbox make money?

Outbox is offering the service for $4.99 per month, with no additional fees for delivery or mail volume. Since they will deliver mail through an app or web, there is potential to add digital ads as a new revenue stream. The costs of running this business are surely prohibitive otherwise.

The costs for sorting and digitizing equipment, the warehouse for storage, hiring “unpostmen” as well as other warehouse staff, the vehicles for mail pickup and delivery will quickly add up. It is quite likely that Outbox will be replacing junk snail-mail with its own digitized avatar.

Is this a problem worth solving?

As a fellow entrepreneur, I highly respect the out-of-the-box thinking of the Outbox team and admire their tenacity in coming up with an innovative alternative to the “old style” mail.

The main question that comes to mind is whether this is a problem that needs a solution. Most service providers, banks, electric companies, phone companies, and so on, allow consumers to choose electronic billing. Electronic payments are commonly used alternatives to sending checks by snail-mail. These practices avoids the snail mail altogether and also ensure that only the senders and recipients get to see the contents and no one else.

If you determine that you need an alternative to USPS, is Outbox worth the risk? I am not comfortable with anyone else opening my mail. Are you?

Piyush Bhatnagar is the Founder and CEO of Authomate Inc., an early-stage security startup. He a seasoned technology executive, entrepreneur and consultant with over 20 years of experience in technology development and management at companies like AT&T and Bank of America. 

Mailbox image via Joe Belanger, Shutterstock