Concrete Steps to Take to Minimize Risk While Playing Pokemon GO

5 min read

The launch of Pokemon GO highlights various privacy, security, safety, and privilege concerns with how we use and access tech. While these concerns existed prior to Pokemon GO, and will continue to exist long afterwards, this provides an opportunity to highlight some concrete steps about how we can use technology more safely, and take control over data collected about us. While none of the steps outlined in this post are a panacea, they all allow for incrementally more control over data collected about us. Also, this post focuses on the privacy and security concerns. The safety and privilege concerns are equally real and worthy of attention - as with all tech, we need to take a hard look at who can access the tech, who is pushing adoption of the tech, who benefits most from its use, and who profits most from its use. Time permitting, I will did into these concerns in a different post.

Art LaFlamme also put out a post that covers additional details - it's definitely worth a read.

Without further ado, here are some concrete steps you can take to reduce data collected about you.

1. Turn off services that can be used to collect location information.

Apps with location based services all collect precise location information. A short list of apps that collect location information includes Uber, Disney Experience, Snapchat, Facebook, Pokemon GO, insurance devices, FitBit, Google, Twitter, virtually all of the apps marketed to parents that track their kids in the name of "safety," Voxer, Reward progam apps (like Marriott and Starbucks), and banking apps - so Pokemon GO is not unique in it's aggressive collection of location information. The primary concern with aggressive collection of location data is that it will be used for targeted marketing. A secondary concern is that it will be used and stored and used indefinitely by data brokers, and incorporated into data profiles about us that we will never be able to access.

The concerns listed above are very valid, but it's also worth noting that this steady flow of location data can also be accessed by law enforcement. The privacy policies for most applications contain a clause that explicitly permits personal information - including location - to be turned over to law enforcement. 

For example, Fitbit can release data "If we believe that disclosure is reasonably necessary to comply with a law, regulation, valid legal process(.)" 

Progressive Insurance will release data "when we're legally required to provide the data(.)" 

We are not used to thinking about generating a data stream while playing a video game, but we really need to adjust. But now, with apps like Pokemon GO, our location can become a target for law enforcement. If one kid accuses another of an assault, or of taking part in a robbery, location data collected by the app is now evidence.

To minimize the risk of location based data being collected, toggle location based services off until you absolutely need them. When you leave your house, turn off location services, bluetooth, and wireless. This means that the only company tracking your location on an ongoing basis is your mobile phone carrier.

2. Create a separate email for games

Create a gaming email (via GMail, Yahoo, Outlook, etc), and use this exclusively for games. Ideally, tie this gaming email to usernames and even demographic information that does not identify you personally (and note - doing this can potentially violate the terms of service of some apps that insist upon "accurate information"). However, for games that broadcast your username and location, this additional layer of separation between your username, you "regular" email, and your actual name can provide a small layer of insulation from other players.

Note that this does not prevent companies from identifying you. Companies will still have (at minimum) your device ID, and the IP addresses from which you connect. Additionally, many apps will access your phone number, your call log, your text log, your contact list, and the other apps you have installed on your phone, among other things. The Google Play store lists out the permissions required, so it's easier to spot these types of intrusions into our privacy on Android based phones than on iOS devices. On apps that support both platforms, you can do a rough cross reference from Android to iOS. As an aside, I do not understand why Apple doesn't list app permissions in the same way as the Play store. 

3. Login with your gaming email whenever possible

Avoid social login with your Google, Twitter, Facebook, etc, account. This is arguably less convenient, but it creates an incremental barrier to inappropriate access of your personal information, and to these companies getting more detailed information about your online behavior.

4. Review your authorized apps

Every month, review what apps are authorized to access your accounts.

By aggressively removing apps that no longer need access, you minimize the risk that one of these apps could be used to compromise a different account.

5. Reset your advertising ID.

This should be done monthly. However, it should be noted that vendors are not required to use the advertising, and that many companies collect device specific IDs that are more difficult to alter.

These changes won't prevent more aggressive companies from collecting your device ID, but it provides some incremental improvements.

Summary

As noted in the introduction, none of these steps are panaceas, and none of these steps will eliminate data collection. However, these steps will minimize exposure, and will bring back a degree of control to those of us looking to both use tech and maintain a modicum of privacy.

Civil Rights Complaint Filed Against Portland Public Schools

5 min read

UPDATE - July 6: According to Willamette Week, Paul Anthony met with Carole Smith on January 26, 2016, and documented the core findings that drove his civil rights complaint. He filed his complaint on May 26, 2016. Between January and May, the Portland Public School Board - of which Anthony is a member - reviewed the District-wide Boundary Review Advisory Committee (DBRAC) recommendations. On April 12th, Anthony is quoted in this DBRAC-related story talking about implementation plans moving forward for East side schools. As noted in this document about the goals of DBRAC, ensuring equitable access to resources is a key goal.

So, if I'm understanding this correctly, a school board member had evidence that, in his estimation, rose to the level of a civil rights complaint. He had this evidence in January, and was part of a review process that was designed, in part, to address these very needs. Yet, during the entire review and discussion process, the documentation was never shared. Why not? Why sit on data that documents the exact issue the district is trying to solve when you are part of a group of people providing guidance and input to this process?

If I am mistaken here, and the documentation used to drive the civil rights complaint was introduced during a public school board meeting, please share the link to the meeting video, and I'll watch the video and update this post accordingly. But, if this information was never shared publicly as part of the DBRAC review process, or as part of any budget review process, I'd love to know the rationale for keeping it private, rather than for sharing it publicly in the middle of a process where the information could have been put to good use. END UPDATE.

ORIGINAL POST

Paul Anthony, a Portland School Board member appears to have filed a federal complaint alleging racial discrimination. According to the Oregonian, the complaint was filed in late May.

The Oregonian story linked above has some quotes from the complaint (note - I have not read the complaint, save for the excerpts covered in the Oregonian story), including:

"Superintendent Smith permits her staff to discriminate on the basis of race, color and national origin in access to educational course offerings and programs," the complaint says. "PPS data proves that students of color cannot access courses tied to long term academic achievement. For example, they disproportionately are not offered access to foreign language, academic supports, and electives that white students access."

I'm glad to see this issue getting increased attention. It mirrors and amplifies what people with kids have been saying for years. It also mirrors trends we see with how parent fundraising amplifies and enshrines the inequitable distribution of resources. But no one has the appetite or will to take on inequities based on parent fundraising. We allow the Equity Fund to apply band-aids, when what we need is surgery.

The Civil Rights complaint also begs the question of why the school board didn't use its oversight of the redistricting process to address inequitable access to resources. True leadership would have used that opportunity.

And while this might be covered in the text of the complaint, it would be great to see the ongoing problems with racial bias in discipline within Portland Public Schools addressed. We should have school and classroom level data about the source of referrals and suspensions. Looking at this data will make a lot of people very uncomfortable, but in an ideal world, this would have full teacher's and prinicipal's union support within the context of ongoing professional development for their members. Suspensions, expulsions, and disciplinary referrals don't happen out of thin air - they represent choices by teachers, principals, counselors, and other school staff. But, for all the obvious reasons, taking the needed hard look at this issue would almost certainly face strong and determined resistance.

Quoting again from the Oregonian article:

(Paul Anthony) said after painstakingly seeking the data and arranging it in spreadsheets, he couldn't get the traction he wanted on the issues.

In the imediate aftermath of the ongoing issues around lead in our school's drinking water, many people defended the school board by saying that the board doesn't have the ability to request detailed information outside of a general supervisory role. However, what we are reading about here is real, actual inquiry - and that's a very good thing. That's exactly what we want and should demand from members of the school board. The fact that this didn't happen around issues of lead - despite a well documented history of lead in school water in Portland, going back to 2001 - calls into question the role of the board in Portland's ongoing lead issues.

It's easy to beat up on the district. It's much harder - and more politically costly - to tackle the ossified issue of school funding. It's even more difficult to engage the teacher's and/or principal's unions over issues of racially biased discipline. If we're serious about equity, we can't approach this piecemeal, and we can't just take on the easy fights. An engaged school board willing to listen to the community, and take on the hard issues, is an essential piece of what school improvement will look like.

Amazon Inspire, Open Educational Resources, and Copywrong

3 min read

On Monday, June 27th, Amazon announced Inspire, another free lesson sharing site. What made this effort interesting is, of course, the context: Amazon knows marketplaces, and Amazon knows text distribution. This effort is also part of the Federal Department of Education's "Go Open" work, where Amazon was an early partner.

On June 29th, Amazon removed some materials due to copyright issues. The fact that this happened so early in the process (literally, screenshots distributed to media contained content encumbered by copyright) suggests a few things:

All of these potential issues are directly related to implementation, and have nothing to do with the merits of using Open Educational Resources. However, these obvious issues point to the possibility of other - more subtle, less obvious - issues with the underlying content. For example, if any EngageNY content is reused within Amazon Inspire, that would almost certainly run afoul of the Non-Commercial license used on EngageNY content.

Just so it's clear, the mistakes made within the Inspire platform are all completely avoidable. People using openly licensed content have been successfully navigating these issues for years.

But the other, more troubling development that is implied by the issues surrounding the very avoidable errors with the Inspire platform is that the platform focuses on the least interesting element of open educational resources: distribution. It would have been great to see a high-profile effort that simplified and supported authorship and remixing. The current conversations about OER remain mired in the very narrow vision of textbook replacement. The transformational potential of OER will come when we embrace the potential of both teacher and learner as creator. Open licensing makes this potential easier to realize, as it removes many of the barriers enshrined within traditional publishing and licensing schemes. 

However, when one of the most visible platforms within the latest high-profile foray remains focused on distribution, and can't even address copyright issues within a press launch, it's clear we have a ways to go. The mistakes made in the Inspire announcement are completely avoidable. These mistakes have nothing to do with open educational resources, and everything to do with the specifics of creating a marketplace. When we build tools that focus on redistribution, we create a natural opportunity to address issues of licensing. Ironically, the approach that has the potential to transform the way we view authorship and learning also has the potential to eliminate licensing issues.

Hopefully, someday, our platforms will catch up with the work.

Some Observations on Kahoot!

3 min read

NOTE, from July 1, 2016: Kahoot! updated their app, and their privacy policies. The issues flagged in this post have all been addressed. Also worth noting: their turnaround time in addressing these issues was incredibly fast. For what it's worth, I'm impressed by both the speed and the quality of the response. END NOTE.

In the screencast below, I highlight some issues with Kahoot!, a quiz platform that, according to the company, was used by 20 million US students in the month of March, 2016.

In the screencast, I use two demo accounts to show how an 11 year old student can create an account with no parental consent, and subsequently share content with a random adult within the application. I also highlight a less serious issue with how PINs can be shared to allow for open access over the internet to anyone who has the PIN. 

(note: the screencast has no volume - so don't think your audio settings are on the fritz :) )

Recommendations for Kahoot!

Some of these recommendations look at Kahoot's terms of service and privacy policy. A full evaluation of their terms is outside the scope of this post, but currently the terms lack meaningful detail about important points, such as how data can be used for advertising, or shared with third parties. In addition to a full review of their current privacy policy, a short list of improvements for Kahoot! includes:

  • Implement verifiable parental consent for accounts for people under 13; this should be accompanied by corresponding language in the privacy policy.
  • Inside the service, implement friend lists, and limit sharing to and from student accounts to approved friend lists.
  • Update their infrastructure to improve encryption on their login and account creation pages. Currently, these pages get an F using the Qualys SSL verification service.
  • Update their terms of service to clarify what ownership they are claiming over student and teacher work. Their current terms claim full ownership over all content created using "any open communication tools on our website" - this effectively means that Kahoot! owns all student and teacher work created in their platform, and that they can use that work without limits, in any way they want. While I don't think this is what they intend, they should clarify the details. The precise language from the terms of service is included below.

However, any content posted by you using any open communication tools on our website, provided that it doesn't violate or infringe on any 3rd party copyrights or trademarks, becomes the property of Kahoot! AS, and as such, gives us a perpetual, irrevocable, worldwide, royalty-free, exclusive license to reproduce, modify, adapt, translate, publish, publicly display and/or distribute as we see fit. This only refers and applies to content posted via open communication tools as described, and does not refer to information that is provided as part of the registration process, necessary in order to use our Resources.

There are other suggestions that would improve the service, but this short list highlights some of the more pressing issues documented in the screencast.

Rostering, Provisioning, Owning Your Stack, and Transparency: a Look at Lewis Palmer

6 min read

Through the continuing wonderful work over at Databreaches.net, I read about an odd situation in Lewis Palmer School District 38. The details are still unfolding, but based on the article on databreaches.net and the original report in Complete Colorado, there are a few layers at play here. First, the Complete Colorado piece isn't clear on the technical details - and that's a good thing, because they were printing a story about an unfixed security issue (note - as of today, the affected systems have been taken offline). The ethics of printing information about an unpatched issue are questionable, at best - but we'll return to that later.

Two pieces stand out in the story. First, the data that was potentially exposed seems very sensitive. The exposed data included:

names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups take place; and health records.

Second, the Complete Colorado piece includes reporting from a school board meeting held on May 19th. In the exchange below, pulled from the Complete Colorado piece, Sarah Sampayo (a school board member) is speaking with Liz Walhof, the district technology director.

Sampayo questioned the district’s technology director, Liz Walhof, about whether the district planned to make changes to the Gmail accounts. “How easily accessible is that uniquely identifying [student identification] number to the vast community,” Sampayo asked. “And is our kids’ information then protected because you can then log in … with just the kid’s ID number.” Walhof said they continue to look into better formats, but added that right now it is not possible to issue an email without using the student’s ID number.

At the 5/19 school board meeting, a parent shared her experience speaking with the district IT staff. In her public comments, she shared talking with school officials in the fall of 2015 about some of her concerns. The testimony begins at the 53:40 mark of the video. In her testimony, it appears like the student's login id to Google Apps is the same as their student ID. Therefore, based on how Google Apps works, student emails would also be student IDs, thus ensuring that kids in a class know everyones login ID.

I'm concerned that children are having to log into GAFE with their student ID numbers. And I was told that is just the way it is.

At this point, it's worth noting that just knowing someone's login ID is not sufficient to gain access. If, however, passwords were known, then that is a serious privacy issue.

And, it appears that the Lewis Palmer School District used birthdays as passwords, and announced this online from at least September 24, 2013 to March 14, 2016.

The two screenshots below were taken with the Wayback Machine. The first was crawled on September 24, 2013.

Wayback machine screenshot

The second screenshot, below, was taken on March 14, 2016.

Wayback screenshot

Both of the screenshots (and the ones taken between these two dates) contain this text:

Due to a security enhancement within Infinite Campus, your network and IC passwords have been changed! You must now enter the prefix, Lp@ before your regular birthday password (i.e. Lp@032794). Additionally, you may change this password by entering Ctrl+Alt+Delete and then picking Change a Password. Changing your password this way ONLY works if you are logged into the school network, NOT from home.

This information suggests a couple things. Starting with the most obvious, passwords appear to be created using a commonly known structure based on a person's birthday.

Second, the instructions about being connected to the school network and changing your password suggests (although I'm not certain on this) that usernames and passwords are centrally managed, meaning that a student has a single login ID and password.

It also should be highlighted that username and password issues do not appear directly related to security issues in either Infinite Campus or GAFE. This sounds a lot like an issue with how accounts were provisioned.

Based on the information available here, it appears that the way the district provisioned emails ensured that every student's login ID was easily available. Because the district both used an insecure default password structure and published that password structure on the open web for over three years, the district created a structure that allowed many people within the community to easily know the usernames and passwords of their peers.

It also appears - based on the parent testimony at the board meeting - that these concerns were brought to the district's attention in the fall of 2015, and were dismissed. Based on some of the other descriptions regarding access to health records, it also sounds like there might be some issues related to Infinite Campus and how it was set up, but that's unclear.

What is clear, however, is that the district is not being as forthright as they need to be. The board meeting with parent testimony was May 19th; Complete Colorado article ran on May 24th. The data privacy page on the Lewis Palmer web site was updated on May 25th, with the following statement:

Yesterday, we discovered a possible security breach through normal monitoring of IP addresses accessing our systems.

Given that the security issue was covered in the local press the day prior, and that the district was publishing their password structure for over three years, I'd recommend they look at their logs going back a while. I'd also recommend that the district own their role exacerbating this issue.

For districts, parents, teachers, and students: if there is a commonly known structure to how you provision both usernames and passwords, that is potentially a serious red flag. The process of provisioning accounts is time consuming and not fun (which is part of the reason why we see people starting to rush into the rostering space), but if you can't do it securely, you should put your tech programs on hold until you get it sorted out.

Tracking the Trackers

2 min read

Third party trackers are tools that companies use to track us as we navigate through the web. While most of us don't pay much attention to trackers, they are present on many of the sites we visit. They collect information about our online activities, ranging from the pages we visit, the terms we search for, to how long we stay on a page, and more, and they collect and organize this information into a profile that can then be used for many different purposes. Because tracking takes place behind the scenes, most of never get a glimpse of how tracking is set up, and how it follows us.

If you are ever curious about how third party trackers work, Lightbeam is a freely available add on from Mozilla that displays information on third party trackers. This recent web census is both up to date on the current state of tracking, and the different technologies used to track.

When evaluating EdTech apps, Lightbeam can be used to get a clear sense of what trackers are placed on a site. To get accurate results, you will need to get Firefox ready to test. Then, log in to the application you want to evaluate, and let Lightbeam do the rest.

The video below shows how trackers get placed. In the video, I visit three sites: WebMD, the Huffington Post, and the Weather Channel. In the process of visiting just these three sites, 139 third party trackers were placed on my browser.

Targeted Ads Compromising Privacy in Healthcare

2 min read

For a current example of how and why privacy matters, we need look no further than the practices of a company that uses "mobile geo fencing and IP targeting services" to target people with ads.

In this specific case, the company is targeting ads to women inside Planned Parenthood clinics with anti-choice materials. The anti-choice messaging - euphemestically referred to as "pregnancy help" - gets delivered to women who enter selected health clinics.

"'We can set up a mobile geo fence around an area—Planned Parenthood clinic, hospitals, doctor's offices that perform abortions,' Flynn said. 'When a smartphone user enters the geo fence, we tag their smartphone's ID. When the user opens an app [the ad] appears.'"

Let's stop pretending that a phone ID isn't personal information. This is how data can be used to compromise people's privacy. We should also note that the anti-choice groups are now clearly in the business of harvesting personal information about women who visit health clinics, and who knows what they are doing with that information. With the device ID in hand, they can easily combine that dataset with data from any of the big data brokers and get detailed profiles of the people they are targeting.

This is how private institutions target and exploit individuals. However, they are using techniques adopted by advertisers and political campaigns.

Tech isn't neutral. Whenever you hear talk of "place based advertising", this is what we are talking about.

Building Consensus for Privacy and Security

1 min read

I had the pleasure to present at ATLIS on April 19, 2016, in Atlanta. The conversation covered different facets of privacy, and how to evaluate the different attitudes toward privacy and security in schools.

One element in the conversation that we sped over involved some simple browser-based tools that highlight third party trackers. The example I used highlighted two news sites (Huffington Post and the NY Times), but the process works just as well with educational technology apps: enable Lightbeam, log in to an edtech site, and see what loads.

The full presentation is available below.

Terms of Service and Privacy Policies at CharacterLab

10 min read

I probably spend more time than recommended browsing the web and reading privacy policies and terms of service, looking for patterns. When I encounter a new app, the first thing I do is find the terms and read them. Terms are useful in a range of ways. First, what they say matters. Second, how they say it can provide insight into the service, and how the company views themselves. Third, terms can indicate the business plan (or possible business plans) of a company. Finally, the degree to which the terms align (or not) with the product can indicate how coherent the planning within a company has been. There are other elements we can glean from terms, but the points outlined here are some of the more common items that can be inferred from terms.

Last week, I encountered the terms of service at characterlab.org. They offer an application to support character growth. The terms discussed in this post were updated in August; 2015. I downloaded an archive version this morning (April 4, 2016).

The target audience of Character Lab is teachers, but they also get information about children (to set up accounts) and from children (once accounts have been set up). 

Account Creation and Parental Consent

In the process defined by the terms and reinforced via their user interface, teachers create accounts for students.

The information we collect varies based upon the type of user you are.
(i) Teachers: In order to use the Service, you will need to register for an account. In order to register, we will collect your name, login name, and institution you are associated with, grade level, years of experience, along with your telephone number and email address.
(ii) Students: Students will not be asked to provide Information. Teachers will create accounts for students by providing their name. Students and teachers will both input information related to student character assessment tests and other Services-related functions.

In the terms, parental consent is mentioned, but only in passing, in the "Eligibility" section:

You must be at least 18 years old, an emancipated minor, or possess legal parental or guardian consent, and be fully able and competent to enter into and abide by these Terms to access the Service. If you are under 13 years of age, you may only access the Service with the express permission of your legal parent or guardian.

Given the account creation workflow in place with this site, a teacher is binding a student to these terms, potentially without any parental consent. In the case of a student under the age of 13, the way the eligibility terms are written ("If you are under 13 years of age, you may only access the Service with the express permission of your legal parent or guardian.") the onus for understanding and obtaining the need for parental consent appears to be on the student, who my or may not be aware that the terms exist, and who has no role setting up their account.

At the very least, the terms should require that the teacher or school creating student accounts obtain and maintain verifiable parental consent.

A suggestion for vendors looking to avoid this circular setup: read your terms from the perspective of each of your target users. If likely scenarios exist where a person would have data in your system before that person had any opportunity to interact with your system, you should consider revising your terms, your onboarding process, or both.

Grammar Counts

From the "Protecting Children's Information" section, we are given text that fails to meet basic standards for clarity.

If you are a student, please note that your parent can view request a copy of your character report, and any and all other information associated with you, on this Site, including without limitation messages between. If you are a parent, you may request a copy of your child's character report (whether self-reported or reported by any and all other information associated with your child) on this Site by either submitting an email request to Character Lab at cgc@characterlab.org.

A couple things jump out here: first, as highlighted above, students play no role in creating their account, so the chances they would be informed that parents can request a copy via these terms is slim. Second, both sentences in the "Protecting Children’s Information" section contain grammatical errors and word omissions that make them less than comprehensible.

If you are putting out an application that collects data, read your terms. Have a good editor read your terms. Have a good lawyer read your terms. Have your lead developer read your terms. If you are the company founder, read your terms. If terms contain basic grammatical errors, or sentences riddled with omissions, it raises the question: in how many other places do similar weaknesses exist?

Data collection and minimization

In looking at the data that is collected, several areas exist where the terms claim the right to collect more data than is needed to run the service.

Your browser type, language, plug-ins, Internet domain and operating system;

This service has no need to collect information about browser plugins. Collecting this information is a component of browser fingerprinting, which is a precise method of tying a specific browser to a specific machine - which can often lead to uniquely identifying a person without collecting data traditionally considered Personally Identifiable Information (or PII). Additionally, tracking "Internet domain" seems excessive as well. While the term is pretty vague, one common definition could mean that the service tracks the domains from which requests originate, so the vendor would know if someone was connecting from the network of a specfic school or university. This information replicates a lot of what can be inferred from collecting an IP address (which characterlab.org also connects), but connecting an IP address to a domain seems unnecessary - especially because teachers are required to state a school affiliation when they register.

Moving on, the terms also claim the rights to collect and store device IDs and physical location.

Unique identifiers, including mobile device identification numbers, that may identify the physical location of such devices;

This service does not require a device ID or physical location to run. If they actually collect and retain this information, it creates a much more valuable dataset that could be compromised via a data breach or human error.

If this data is actually needed to run the application, then the terms need to clarify how and why it is used. I suspect that this is an example of something we see pretty regularly: the terms are out of sync with what the app actually does. CharacterLab is not alone in claiming the rights to obtain device IDs. Many other EdTech companies do this. While it is easy to get a device ID, it is generally not necessary, and many EdTech companies could eliminate this practice with no negative effect on their service.

Data collection and retention should be minimized to reflect the specific needs of the app. When a vendor thinks about these details, they can build better software that is easier to maintain. By making sound technical decisions as a regular part of the development process - and by verifying that the terms of service reflect actual practice - vendors can have confidence that they understand their product, and how it runs.

Data transfers

This issues with data collection and retention are highlighted by how data will be treated in case of a merger or an acquisition.

(d) in the event that Character Lab goes through a business transition, such as a merger, divestiture, acquisition, liquidation or sale of all or a portion of its assets, your Information will, in most instances, be part of the assets transferred;

This provision creates the very real possibility that data can be sold or transferred as part of a larger deal. This is a very problematic clause. As we saw with ConnectEdu and Corinthian (where student data was included in a sale to a student loan collection agency), these sales happen. Given the rate of churn in the education technology space, terms that allow student data to be sold or transferred create significant risk that data will be used in a range of ways that are completely unrelated to the stated goals of Character Lab.

The ability to transfer data, paired with the data that can be collected, could be mitigated to an extent by a good deletion policy. However, Character Lab does not deliver on that either.

Please note that certain Information may remain in the possession of Character Lab after your account has been terminated. Character Lab reserves the right to use your Information in any aggregated data collection after you have terminated your Account, however Character Lab will ensure that the use of such Information will not identify you personally.

When data is deleted, it should be deleted, full stop. Given that Character Lab claims the right to collect browser plugins or device ids - either of which can be used to precisely identify an individual - the claim that they will ensure that their data set won't identify you personally rings hollow.

This problem is exacerbated because the terms contain no language banning recombination with other datasets.

To be clear, the reason that they include this claim over deleted data is to support research. However, they could support their research needs and respect user intent by specifying that they will delete all user data, and not incorporate that data into aggregate data sets moving forward, but that any data used in aggregate data sets created before the data was deleted will not be affected.

Their provisions here would also be less problematic if the app minimized data collection, as outlined above.

Changes to terms

Finally, this app contains the poison pill for terms of service.

Character Lab shall have the right to modify these Terms at any time, which modification shall be effective upon posting the new Terms on the Terms of Use page of the Site. We recommend that you check the Site regularly for any such changes. Your use of the Character Lab Service following such posting shall be deemed to constitute your acceptance of such modification. The Terms may not otherwise be changed or modified.

The ability to change terms with no notice is always problematic, but it is especially problematic given that this site contains student information, and that the site has limited the ability of people to fully delete their information.

If terms are substantially modified, users should be notified via email, and via notice on the site - ideally as a banner, and as added text on the login page. The updated terms should also be posted for a specified period (generally around 30 days) before they become active.

Closing

The issues outlined here are a summary - there are other things in these terms that could be improved, but in the interests of brevity I kept a narrow focus.

These terms have issues that appear frequently across many terms in both educational and consumer technology. My sense in reading these terms is that the terms of using the service have drifted from the intent of the people creating the service. This is a common issue - building an app and releasing it into the world is a lot of work, and it's easy to overlook the need to clarify the terms of service. Imprecise or poorly written terms are rarely a sign of bad intent.

However, given that the terms provide the legal basis and rights of both vendor and users of a service, getting them right is essential. For a vendor, ensuring that the terms align with the practice and intent of the application is a very practical way to ensure that you have organizational clarity about the goals of your organization, and the role technology plays in reaching them.

Encryption, Privacy, and Security

9 min read

In conversations about student data privacy, the terms "encryption," "security," and "privacy" are often used interchangeably. While these terms are related, they ultimately are distinct concepts. In this post, we will break down how these terms overlap with each other, and how they are distinct.

But at the outset, I need to emphasize that this post will be incomplete - a comprehensive treatment of these terms and the distinctions between them would be a good subject for a book. Details will be left out. If you're not okay with that, feel free to stop reading now. I imagine that the Kardashians are up to something curious or interesting - feel free to check that out.

As is hopefully obvious by now, this post is not intended to be comprehensive. This post is intended to provide a starting point for people looking to learn more about these concepts.

Privacy

Privacy is arguably the least technical element in this conversation. There are two facets to privacy we will highlight here:

  • It's possible to have great security and bad privacy practices; and
  • We often speak about "privacy" without clarifying "private from whom."

Great security and bad privacy

A vendor can go to extreme lengths to make sure that data can only be accessed by the vendor, or the partners of the vendor. However, if the vendor reserves the right to sell your data to whomever they want, whenever they want, that's not great for your privacy. The ways that vendors can use the data they acquire from you are generally spelled out in their terms of service - so, if a vendor reserves rights to share and reuse your data in their terms, and you agree to those terms, you have given the vendor both data, and the permission to use that data.

There are many vendors who have solid security paired with privacy policies and data usage practices that compromise user privacy.

Who is that private from, really?

Different people think of different things when we say the word "private" - in most cases, when we think about privacy, we focus on things we don't want other people to know. When we are working with technology, though the concept of "other people" gets abstract and impersonal pretty quickly.

When we use services that store a record of what we have done (and it's worth noting that "doing" means read, said, searched for, liked, shared, moused over, and how long we have done any of these things), the "private" things we do are handed over to systems that have a perfect memory. This changes the nature of what "private" can mean. For the purposes of this post, we'll use four different categories of people who might be interested in us over time, and how that impacts our privacy.

  • Criminal - these are the folks people agree about the most: the people stealing data, perpetrating identity theft, and using a range of attacks to get unauthorized access to data with bad intent.
  • Personal - there is also large agreement about personal privacy. We can all agree that we don't want Great Uncle Wilfred to know about our dating life, or to talk about it during Thanksgiving. The ability to control which of our acquaintances knows what is something we all want.
  • Corporate - there is less agreement here, as one person's desire for privacy often runs counter to a data broker's or a marketers business plan. But, when using a service like Facebook, Instagram, Twitter, Snapchat, Pinterest, etc, the "privacy settings" provided by the vendor might offer a degree of personal privacy, but they do nothing to prevent the vendor from knowing, storing, and profiting from everything you do online. This often includes tracking you all over the web (via cookies and local shared objects), in real life (via location information collected via a mobile app), or from buying additional data about you from a data broker.
  • State - there is also less agreement about what constitutes an appropriate level of protection or freedom from state sponsored surveillance. While people have been aware of the inclination of the state to violate privacy in the name of security and law enforcement throughout history, the Snowden leaks helped create specific clarity about what this looked like in the present day.

(As an aside, the data use practices within politics should possibly be included in this list.)

Many conversations about privacy don't move past considering issues related to criminal activity or personal compromises. However, both corporate and state level data collection and use expose us to risk. As was recently illustrated by the Ashley Madison and the OPM breaches, corporate data collection and state data collection pose criminal and personal risk.

For people looking to learn more about the various factors at play in larger privacy conversations, I strongly recommend Frank Pasquale's recent book, the Black Box Society. The book itself is great, and the footnotes are an incredible source of information.

Security

In very general terms, security can be interpreted to mean how data is protected from unauthorized access and use. Encryption is a part of security, but far from the only part. If a systems administrator leaves his username and password on a post-it note stuck to his monitor, that undercuts the value of encrypting the servers. Human error can result in snafus like W2s for a popular tech startup being emailed to a scammer.

If people email passwords to one another - or store passwords online in a Google Spreadsheet - a system with fantastic technical security can be compromised by a person who has limited technical abilities but who happens to stumble onto the passwords. Phishing and social engineering attacks exploit human judgement to sidestep technical security measures. If a csv file of user information is transferred via Spider Oak and then copied to an unencrypted USB key, the protection provided by secure file transfer is immediately destroyed by storing sensitive information in plain text, on a portable device that is easy to lose. In short, security is the combination of technical and human factors which, taken together, decrease the risk of unauthorized access or use of information.

Encryption is an element of security, but not the only element. It is, however, a big part of the foundation upon which security, and our hopes for privacy, rests.

Encryption

Encryption is often used in general terms, as a monolithic construct, as in: "We need to fight to protect encryption" or "Only criminals need encryption."

However, the general conversation rarely gets into the different ways that information can be encrypted. Additionally, there are differences between encrypting a device (like a hard drive), data within an app, and data in transit between an app and a server or another user.

As an example, all of the following questions look at possible uses of encryption for a standard application: does an application encrypt data at rest on the device where the data is stored? If the application pushes data to a remote server for storage, is the data encrypted while in transit to and from the remote location? If the data is stored at the remote location, is the data encrypted while at the remote location? If the remote location uses multiple servers to support the application, is communication between these servers encrypted?

If the answer to any of these questions is "no" then, arguably, the data is not getting the full benefits of encryption. To further complicate matters, if a vendor encrypts data at rest, and encrypts data moving between servers, and encrypts data moving between servers and applications, but that vendor can still decrypt that data, then there is no guarantee that the benefits of encryption will protect an individual user. When vendors can decrypt the data on their hardware, then the data is only as secure - and the information stored only as private - as the vendor is able or willing to protect that encryption.

True end to end encryption (where the data is encrypted before it leaves the application, is sent via an encrypted connection, and only decrypted at its final destination) is the ideal, but often a vendor will function as a middleman - storing and archiving the data before sending it along to its intended recipient. This is one of many reasons that the encryption debate looks different for vendors that make hardware relative to vendors that build software.

In very general terms, hardware manufacturers fighting for encryption are protecting user data; and it's in the best interest of these manufacturers to protect user data because if hardware vendors fail to protect user data they also lose user trust, and then people won't buy their products.

In equally general terms, many application vendors fighting for encryption have a more complicated position. A small number of vendors have been vocal supporters of encryption for years - these are the small number of vendors who offer true end to end encryption, or who implement encryption where the user, not the vendor, retains control of their keys. However, the ongoing legal battle between Apple and the FBI over encryption has elicited broad support from within the tech community, including companies who use data to power advertising and user profiling. For companies whose business is predicated on access to and use of a large dataset of sensitive user information, strong encryption is essential to their business interests.

In their external communications, they can get a public relations win by advancing the position that they are defending people's right to privacy. Internally, however, encryption protects the biggest asset these companies possess: the data sets they have collected, and the communications they have about their work. This is where the paradox of strong security with questionable privacy practice comes into play: why should encryption give large companies an additional tool to protect the means by which they compromise the privacy of individuals?

And the answer is that, without encryption available to individuals, or small companies, none of us have a chance to enjoy even limited privacy. If we - people with less access to technical and financial resources than the more wealthy or connected - want to have a chance at maintaining our privacy, encryption is one of the tools we must have at our disposal. The fact that it's also useful to companies that make a living by mining our information and - arguably - violating our privacy doesn't change the reality that encryption is essential for the rest of us too.

NOTE: I'd like to thank Jeff Graham for critical feedback on drafts of this piece.