Disposable Mail Addresses (and Finding Alternatives)

Trashmail.net went pay-only (because of spammer abuse!) last summer, and I only discovered it recently as I don’t use these services all that much. During the search for alternatives, I found new ways to search for alternatives.

The service AlternativeTo has always been a good place to go for desktop software alternatives; now they include mobile platforms and online applications as well. The list of alternatives to TrashMail is extensive and interesting.

The other interesting item is Google’s related: operator. This can be used during searches, but at the bottom of a search there may be a link to sites similar to the one searched for. In the case of Trashmail.net, Google returns a lot of alternatives.

As an ironic twist, consider this: Google has a list of sites similar to AlternativesTo.net.

Your Employer Owns Your Phone

According to a story from NPR, Amanda Stanton’s phone (an iPhone) was completely wiped remotely (accidentally) by her employer, and without her consent or knowledge. This was done not to a phone given to her by her employer, but to her personal and private phone.

This kind of power can be abused quite easily, and is also prone to mistakes such as this one. What is an IT department to do?

A situation like this requires balancing the desire of a company to protect private conversations and to protect trade secrets and so on, against the right of an individual to have their privacy rights respected.

Making this worse is the fact that personal gadgets and corporate gadgets (and technology) are mixing together like never before: for example, people buy their own phones and use them at work, and people use corporate phones to make personal calls. This mixing of personal and professional is only going to grow.

On a personal level, protecting yourself from this sort of accident means not connecting your phone to Microsoft Exchange, which provides the ability to perform a remote data wipe. It might be possible to forward or otherwise use a “proxy” to handle the mail from Exchange before mail gets to you – possibly sanitizing the mail – but this is conjecture.

From a corporate standpoint, this ability is a lawsuit waiting to happen. There has already been a lawsuit – City of Ontario v. Quon – that went to the Supreme Court about the privacy of text messages. The court found that the text messages should receive the same privacy expectations as that of emails, which meant the city could use them against Quon in the case that was ongoing. The Electronic Frontier Foundation saw hopeful signs for workplace privacy in the future.

Do You Have a Data Retention Plan?

If you don’t, your company could find itself having to save documents it would much rather have gotten rid of when a lawsuit occurs. More importantly, customer information is protected by law and not handling it with care can lead to significant and adverse consequences.

Consider the tale reported over at the Clutter Diet blog. The company in this tale did not handle customer data properly at all.

Shredding document isn’t enough either; companies will reconstruct the shredded documents for a hefty fee – even from cross-cut documents. In the New York Times (July 17, 2003) Doublas Heingartner reports about an effort to reconstitute hundreds of documents from the East German Stasi (or secret police).

The best thing to do is to have a written and accurate plan for disposing of documents, and a method of disposal that precludes reconstitution. The US military now uses pulping and pulverizing of paper; it should be possible to do this with corporate documents in some fashion as well.

A data retention plan should, of course, manage electronic documents as well. Sensitive documents should be deleted and the hard drive space wiped. If the hard drive is to be disposed of, physical destruction is the only way to completely be assured of total data loss; however, your company may very well be satisfied with a complete wipe of the drive with tools like Darik’s Boot And Nuke.

Just do it. Your lawyers and customers will thank you.

How to Lose Your Life to the Law

Recently, the blog Gizmodo received a pre-release version of a new iPhone, and examined it and wrote about it. This caused Apple to request it, then a flurry of legal actions (including search and seizure) by the government.

What no one has wrote about is how this must have brought the reporter’s life to a complete standstill, with a loss of practically everything he uses and everything he knows. Consider what was taken from Gizmodo reporter Jason Chen:

  • A Samsung digital camera. How many photos were on it? Family photos? Friends, events, etc.?
  • Three Apple laptops and an IBM Thinkpad. How many articles were on them? How many emails? How many documents that Jason was working on?
  • An HP Mediasmart server. How many songs?
  • An external hard drive and several USB thumb drives. How much data was on these drives? Finances? Sources? Records? Insurance records? Health details?
  • An Apple iPad. How much was this being used? Did it contain important parts of Jason’s personal life?
  • An Apple iPhone. This would have had an address book, phone numbers called and received, and more.

In short, the officers of the law seized Jason’s entire digital life – for a sort of extended search in absentia.

No word on whether online services were served with warrants. Not only is the search warrant executed on Jason Chen sealed by the court, but the request to seal is also sealed. Thus one doesn’t know what they were looking for, nor why it is supposed to be secret.

So what’s the answer? The only answer is a change to the laws of the country or personally hiding and squirreling away your data. About the only thing to do in this day and age is to put your data onto a server which is in a country with excellent privacy laws, like Switzerland – the way Neomailbox has done with email. If this concerns you, you should check out the Surveillance Self-Defense site sponsored by the Electronic Frontier Foundation.

OpenID: When Versions Conflict

OpenID was supposed to be a web-based single sign-on; however, the conflicts between versions can cause confusion – and prevent sign-on.

When presented with an OpenID sign-on box, you should sign in with:

userid.openidserver.com

For example, with a userid of jdoe at OpenID provider myopenid.com, enter this into the OpenID text box:

jdoe.myopenid.com

(OpenID.net has a more detailed description of the process.)

The problem with using OpenID comes when people try to use OpenID providers like Google.com and Yahoo.com with sites like Toodledo.com: the problem is that Toodledo.com only connects with providers that support OpenID 1.0; there is no message to suggest that the provider does not support that version. Google and Yahoo only support OpenID 2.0; other providers may or may not support OpenID 1.0.

Will Norris has a list of OpenID providers and the features of OpenID they support (broken down by feature). Look for providers that support things like the following:

  • openid-html
  • signon-10
  • sreg-10

Those providers that support these are, I suspect, most likely to support OpenID 1.0 (worked for me!). Also, if you are evaluating these providers in order to choose one, look for a provider that supports a lot of these features of OpenID.

OpenID.net has the specifications for all the versions of OpenID and the features of each.

I chose to go with myopenid.com for my OpenID provider; so far so good – and it works with Toodledo.com (vital!). Another thing – at least with myopenid.com – is that you get an identity page that others can see (I have one).

Another OpenID provider is WordPress.com; if you’ve a login on WordPress.com you have an OpenID. No word on whether WP supports OpenID 2.0.

Cloud Computing: Privacy Concerns

Over at Ars Technica, there is an article about privacy issues with cloud computing.

Of particular note, the US Federal Trade Commission (FTC) sent a letter to the Federal Communications Commission (FCC) bringing up the need to work together to protect the American consumer during the development of the Broadband plan. The FTC has an entire section of their web site dedicated to Internet Privacy and Security, as well as other areas.

Government access to cloud-based documents can be much easier than getting it from the source; it is all up to the cloud service provider whether to turn your data over or not.

The provider might not even be in the United States, which means a whole new set of rules would apply. The government might have continual monitoring already in place, such as in New Zealand for example.

No matter where the provider is, it is really the location of the data – which servers it lives on – that matters. This could change over time; the data could be in the United States today and in China tomorrow. Thus the laws pertaining to data privacy and protection could change without notice.

The World Privacy Forum has a nice detailed whitepaper titled Privacy in the Clouds that makes for interesting reading. Every business considering moving data to the cloud should read this paper.

There is a nice article on Viodi based on a presentation from Nicole Ozler of the ACLU of Northern California (titled ACLU Northern CA: Cloud Computing – Storm Warning for Privacy?) which describes some of the legal aspects of cloud privacy (in the United States).

A recent article in the MIT Technology Review describes privacy and security in the cloud as well. The article suggests that encryption is one answer, but more sophisticated encryption than we have now: straight encryption removes the ability to work with data online (such as searching), and prevents others from looking at the data (in the case of shared data). The article also suggests that data could be limited to a particular area by the provider (such as being hosted solely within the United States).

How Public is Your Life?

There was a very interesting article by the ever interesting Chris Matyszczyk on his blog Technically Incorrect on the CNET Blog Network.

He references Facebook and Twitter in the headline and article and asks why people online today seem to put anything and everything online and then seem shocked when millions of people read it.

It is also interesting as I don’t have a Facebook account nor a Twitter account just for those reasons – and I don’t foresee having one anytime soon.

Workplace Privacy in the News

Workplace privacy is in the news again. The U.S. Supreme Court will hear the case of City of Ontario v. Quon in which personal text messages were sent on an employer-provided pager. Are these text messages private? Does the user have an expectation of privacy?

The blogs SCOTUSblog and the Volokh Conspiracy both reported on this, as did the mainstream press, including National Public Radio, the Christian Science Monitor, Reuters, the New York Times, the L.A. Times, and many more. The New York Times hosted a written debate about the issue.

Workplace privacy doesn’t involve constitutional rights, as there is no right to privacy in general and the constitution has been held to be specific to the government, not private employers. However, the issue is such that many organizations have focused on this topic: for example, the Privacy Rights Clearinghouse, the Electronic Privacy Information Center, the Publishing Law Center, and the ACLU. The ACLU states that “…the ACLU receives more complaints about workplace rights violations than about any other issue.”

As administrators, these issues affect us directly: it is often administrators who implement and oversee much of the technological surveillance, including digital cameras, email surveillance, web filtering, and more. It also becomes important in terms of protecting privacy as well, preventing data from leaking out from corporate servers. There is also e-discovery in which documents must be turned over during the case of a trial.

Before implementing a new method of monitoring, one should be aware of the laws involved and also implement a written policy that all employees will be made aware of. If this is not done, an admin can find themselves on the wrong side of the law.

This lawsuit has the potential to rewrite the laws on workplace privacy; the SCOTUS Wiki has a nice write-up on all of the details.

The Dark Side of Cloud Computing

If you have information in “the cloud” instead of on your personal computer, there is a dark side that you should be aware of.

The information that you save to the cloud resides on servers elsewhere, such as California or Korea or Canada. Wherever those servers reside, there are laws that govern them and the corporation that controls them. These laws may permit access to that information that is much looser than where you are.

Even within the United States, there is a big difference between the data stored on your personal computer or laptop and the information stored on external servers. The United States government must get a warrant signed by a judge before searching your home (and home computer); however, a warrant is not necessary to get a corporation such as an Internet Service Provider (ISP) or others to give the police your data. Companies such as Google and others can be forced to give the police data without notifying you.

This data is not just on the servers, but can also be found on backup tapes as well. Some services – either by their nature or by design – will keep multiple versions of your data, so all past versions can be scanned.

Cloud computing can be brought in-house to some extent, most notably by using open source projects such as eyeOS (which provides a remote desktop). If you are truly concerned by leaving your data open, do not use unsecured network protocols, and do not set up a server with a hosting service: you must run your own server internally.

Other services will provide a key which encrypts the data on their servers – such that the hosting service cannot read any of your data. These are the best services to use, although they may be harder to find. The most likely cloud computing services to do this are backup services as well as those specializing in privacy.

For example, SpiderOak keeps all data on their servers encrypted – so even they can’t read it. Mozy appears to offer the same capability.

Password storage sites also have security built-in; both Clipperz and PassPack have encrypted all of the data on their servers, preventing anyone from reading your data.

However, Google Docs, Zoho, and Thinkfree Office all appear to keep data on their servers readable by anybody – thus, your data could be subponeaed by a court of law if necessary.

It’s unlikely that any of the “micro” services would offer encryption of your data – services like del.icio.us or Joe’s Goals or Zotero.

There is also the possibility of losing all of your data due to a site shutting down. Some sites, polished though they may be, are run by individuals or tiny companies; thus one should not rely on cloud computing alone. Backups should be replicated internally – including backups of all data stored externally.

One good example of this would be the service Magnolia – the service suffered a total data loss stemming from a disaster that took place in February.

Thus, like RAID, cloud computing alone is not a backup!

The Surveillance Self-Defense Project

ssd-banner-bg

The Electronic Frontier Foundation recently created the Surveillance Self-Defense Project, with this focus:

Surveillance Self-Defense (SSD) exists to answer two main questions: What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying?

This will help you take back your privacy (in as much as it can ever be taken back).

This information is specific to the United States government, but there are other parties that are very interested in spying on you: your employer, advertisers, foreign governments, online stores, and many copyright holders.

Read the documents at the SSD Project and see how to increase your privacy in the surveillance society of today.

Follow

Get every new post delivered to your Inbox.

Join 43 other followers