Aehso’s Output

This story just gets worse - now BOI admit they have lost over 31k records. BOI need to answer a few more hard questions openly and honestly in order to stop me from closing my last remaining account with them:

• Is/was it routine for bank employees to bring laptops containing unencrypted data off bank property? Can you guarantee me that your employees never copied data off your laptops onto another machine at home or emailed it via SMTP servers in unencrypted email messages? I don’t really care what official bank policy (meaningless) is, I just want to know if your employees technically could do this.
• If the above is routine, how do they know that only 31k records were lost? After all, you don’t actually have the laptops so how would you know what is on them? Right now trust is gone out the window and you don’t have to give so much information that you would potentially compromise the security of live systems. Technical details on the auditing capabilities of your laptop/mainframe data synchronization tools would be great - just to give me that warm fuzzy feeling.
• If the above is routine, how many of your employees recently sold, dumped or gave away PCs that they might, at one stage, have been editing bank data on while working at home?
• When was the last group hardware audit completed and are any other laptops unaccounted for? Not necessary stolen, just not where they are supposed to be

Lastly, and this question stands, even if I do close that last account. According to the above referenced news story

In the unlikely event of a fraud arising as a direct result of the theft of these laptops, the customer will be fully compensated.

(also stated here though I can’t find an official statement)

What will BOI do if my credit history is destroyed by someone who steals my identity via the data you so kindly made available to them? What if that person is never caught and therefore I can never prove that their data source was the hard drives in those laptops? What was that? Did you say ‘nothing’ or was that ‘prove it’? I thought so.

Data is such a genie in a bottle isn’t it.

As we’ve seen recently screen scraping Facebook pages violates their Facebook Terms Of Use.  Dare suggests that the Facebook Platform APIs can be used to get some (but not all) of a users data but I think he’s forgetting about the conditions governing Storable Information which does not permit storing friends IDs (amongst other things).  Also, in order to use the Facebook Platform in the first place, developers have to agree to the Developer Terms Of Service which clearly indicate that any data gathered (above and beyond that defined as Storable Information) while using the Facebook APIs can only be stored for 24 hours (section 2.A.4).  The TOS definition of a data repository is fairly all-encompassing:

any spreadsheet, database, physical document, server, network, or other repository of information, whether centralized or distributed.

Pretty all-encompassing eh!  I’ll bet there are more than a few facebook applications that are actively breaking this term of service. (Aside: The 24 hour restriction can be avoided if, and only if, the application explicitly asks the user to opt-in - see section 2.A.6. I wonder does the OutSync tool that Dare uses do that?) 

I am of course picking bones here - I could go on but enough said about the minutiae of Facebook legal mumbo-jumbo.  A much bigger and much more important question is. How did we end up in the situation whereby we need to take personal data out of social networks?  The answer of course is that we allow multiple web services and social networks to indefinitely store overlapping subsets of our personal data as they see fit.

Let me put it another way - what would happen if we inverted the location of your personal data?  What if social networks had to (periodically) contact your identity provider to get your personal information and social graph? Then this type of problem would not exist and everyone would have far greater data and service portability. 

However, there are several large barriers to this happening:

• We don’t yet have an established global identity scheme for storing the critical personal and social graph information that social network websites need to operate.  OpenID and OAuth provide the low level plumbing for such a scheme but a  higher level standardized portable personal information protocol is required to allow 3rd parties to find out more about a user with an OpenID.
• Assuming the above existed, it would be impossibly difficult for 99% of the internet users to manage/use/understand unless it (their identity service) was managed on their behalf by the organization their work for or their broadband provider.  I was going to initially say ‘was built into their OS’ but nowadays people use multiple computers that have no fixed public internet address so that’s not even close to an option.
• No large social network will ever willingly volunteer to support this.  Legislation/Regulation will be required to force the existing social networks to evolve onto this identity model.

The last point is probably the biggest barrier and is likely the reason why no big player is expending significant effort to developing standards for user owned identity profiles.  Given the relative lack of voice that average internet users, or even groups of users, now have (Scoble aside) legislation and/or regulation is IMHO the only way to compel the incumbents to change how the whole social network operates.

To further explain why I think that standards like OpenID and OAuth are critical to the evolution of a giant global graph I just had to post a diagram drawn by Francis Shanahan for one of his recent blog posts (click to enlarge).

It should be clear from just looking at this that a) solving this problem would massively improve usability and usage of the world wide web and b) no single company is going to globally solve it with a proprietary solution.

Great diagram.