House RFID tag privacy?

My house was tagged with a little RFID tag yesterday.  It sits quietly inside the door jamb, under a sticker with the logo of the cleaning company.   When I got the CTO job, a condition from the family was to get cleaning help, and we got a company to come and clean the house.  They do a good job, and they work hard.

I suspect that the reason for the tag is to be able to change our bill if the cleaning of our house consistently runs over time, and to keep track of employees who slack off compared to others.  The latter is related to privacy, the first is economics.

The company sent us a letter two weeks before the sticker was applied.  The main topic of the letter was informing us about the sticker, since it sticks to stuff in our house and they would like us not to remove it by accident.  The main text was about how this RFID was not in any way an invasion of our privacy, and that it had been cleared with the Data Inspectorate.

On one hand, this was encouraging, since privacy obviously was a major topic that needed more text than the simple fact of redecorating our entrance hall.  On the other hand this was discouraging as the privacy invasion is on the part of the company employees who will now be monitored on how much time they use in each house, and this was not the focus.

 

Informed consent and necessity

Normally we try operate all transfer of personal identifiable information by the principle of informed consent.  In the discussions on privacy at the NORDUnet conference, Andrew Cormack pointed out that in practice the guiding principle for services may well be necessity to transfer and process personal identifiable information. Privacy guidelines explicitly allow processing when there is necessity, as illustrated in the figure below.

One example of necessity is if my hospital need to notify my family physician that the xray pictures show a rampant pneumonia.  Not notifying the person responsible for prescribing antibiotics may harm my health, and in this situation the necessity is easy to understand.

In the EU regulations, the necessity part seems to be interpreted differently from country to country.  Denmark has legislation allowing parts of the public sector to exchange information according to necessity.  In Norway this is put into some specific laws, but is not an overall guiding principle with a carte blanche.

There is discussion on what constitutes similar services, and if informed consent to transfer information needed for exam registration is really voluntary when the alternative may be to travel for 20 minutes and spend an hour in an office to complete the same transaction on paper.  If the prior procedure was all on paper, and the web self service interface was introduced as a complement to standing in line, the answer may be that it is voluntary.  If the procedure was on the web, and the paper procedure was added as a fall back, then it may not be voluntary enough.

This then raises the question of who gets to impose what costs.  May I as a user impose the cost of a paper procedure to may university, but gain the feeling of online privacy?  If this is only a feeling, and the university processes my PII data together with everyone else, the only gain for me was avoiding Internet transfer.  Does that make sense?  Does it make sense for stuff that must be conducted online?  Or does it only make sense in those situations where I do not trust the service provider?  If I have to trust the service provider to handle exams, I may have to trust them with information in order for them to provide my credentials.

I am not sure what to think about the necessity part of privacy.  But I do know that keeping users informed is polite, and politeness is necessary.

Sharing, withholding and delegating

Sharing, withholding and delegating sounds like advice from Management 101, a first introduction to getting things done.  In the case of identity management, there are some hard cases to crack

1. Sharing metadata: getting information about the right identity provider to the right service provider, as needed
2. Withholding information about technical detail from the end user, while giving enough information to make informed choices.  One aspect of this is seamless discovery service, where the before mentioned identity provider information is available when needed, without prompting the end user to input something
3. Delegation of rights.  I may wish to delegate rights to my husband or to a process running on my behalf (webmail should be able to check my mail account via IMAP, even if IMAP is a non-web protocol)
4. Aggregation of information about me from multiple Identity Providers, while keeping my privacy and giving a user friendly interface to managing my own information

The discussions on these issues have tended to get into complicated corner cases and some heavy protocol elephantiasis.  The simple and elegant design of OAuth gives some hope, as people start experimenting and throwing connected ideas around.  An example is Andreas’ draft work on attribute aggregation.

Simple is good. Testing various ideas helps us sort out how the issues above prevents us from solving some of the use cases

• Grandfather wants access to e-learning platform, needs to check on school work and see if grandson handed in assignments.  Depends on delegation of rights from parent.  Depends on discovery service to sort this role from the primary role as professor at university.
• Parent wants to delegate limited rights to supervise schoolwork to grandfather.  Depends on attribute aggregation from multiple sources, as parent-child relation is independent of authentication method.  Depends on seamless discovery service, since this must be possible for all parents.
• Integration of Web2.0 applications without total mesh coupling.  Depends on withholding information to preserve privacy, and delegation of rights to several process keeping track of social network updates.
• Universal access to web sites, while preserving privacy.  Getting information about disabilities (sensitive information) to adjust web sites to end user needs.  Depends on aggregation of attributes from multiple sources and delegation of rights.

The issues need to be solved for user centric identities, organization centric identities and federations.  We are not there yet – but the space needs watching.

Birthdate rudely published

The main Norwegian provider of online phone search, Eniro,  published birth dates for all phone owners.  Unless you have a secret phone, your birth date is now online and available.  Eniro claims to have done this in order to make it easier to distinguish search results.

Searching for Ingrid Melve

One example is the search result from my name, as shown in the picture.  I suppose the birth date is displayed in the same box with the Send flowers-button for ease of use, that is nice.  Less nice are the ads, since I suppose that the advertisements suggest good presents for me: Bigger boobs, heat exchanger, flat screen TV, teeth bleaching, Sony Playstation 3.   I much prefer the PS3 of those suggestions, as I find the other suggestions gross and rude and too personal.

I do not see how knowing the birth date helps me distinguish between search results.  Knowing the birth year might help, since I could map what I know about the person to the search result.  Knowing what date the person is born gives me no new information.  Know birth dates for family and friends is nice, but that is all about maintaining social relations.  Searching for phone numbers is not my preferred social relation investment.  In this case the service seems displaced in the social fabric.

Reactions have been surprisingly strong, probably because this is perceived as rudeness incorporated.  The Data Protection Agency have the phone ringing off the hook, but according to the current rules publishing birth dates is within the regulations.  Once again the difference between legally right and morally right is displayed in public.

You decide: campaign for kids

Consequences of Internet use, for ages 9-13 and 15-19, are presented in the You Decide campaign.  Privacy, bullying, critical text analysis and other issues are presented to the children and youngsters.  The campaign for ages 15-19 was very successful, and the hope is that the new material for ages 9-13 will be as helpful.

The forces behind this initative are Utdanningsdirektoratet (Norwegian Directorate for Education and Training), The Norwegian Data Inspectorate, and Teknologirådet (The Norwegian Board of Technology).  Language versions include Bokmål, Nynorsk, Sami, English, Spanish, Danish and Macedonian.

Complexity breeds contempt (or consent?)

When is informed consent really consent, and not just paperwork? My local newspaper carried an interesting article yesterday where professor Stein Kaasa at NTNU stated that the paperwork for getting informed consent for participation in research projects from cancer patients has grown too complex.  The text in the consent form is three times what is was some years ago, and the added text is mostly legalese (legal issues, economic terms, privacy information, data storage information).  He states that this is preventing his patients, mostly ill and elderly, from understanding the issues involved in volunteering for research projects.  I believe that he is fundamentally right, not only for elderly patients.  The user/patient’s need to understand consent information should override the need for us to add complex disclaimers.

How many of the Microsoft Office users are aware that you agree to not use Word’s media elements to create scandalous works?

You may not create obscene or scandalous works, as defined by federal law at the time the work is created, using the Media Elements

And that text is snipped from the first part of the EULA, a part that innocent users might see while scrolling through the text to be able to agree and then get work done.  One of the major roadblocks for security is the Press-OK-to-continue-syndrome.  Because the questions asked are either self-evident or too complex to understand, the only possible answer is YES.  This is why I believe that complexity breeds consent.

Back to the cancer patients, where almost all agree to participate in research.  The proposal from professor Kaasa was to use established channels: spend some time in the conversation with the patient to inform about issues (mostly done by research nurses).  And he states that the hospital must be able to take on more of the administrative burden with regards to the consent forms, possibly also take on board more responsibility as an organization instead of outsourcing everything to each project.

How much of the policy work done today is about disclaimers, where we are covering our backsides?  How much is really needed?  How formalized should policies be?  How much of the formalization of policy must be visible to the end users?