Menu
Weekly What? August 25, 2014
Facebook actually does something right? The government tries to punish a company for losing its customers' data? A phone company's data helps fight a deadly epidemic? A court rules that a site's clickless terms of service aren't sufficient to constitute reasonable notice? Authentication that doesn't rely on passwords? There may actually be hope for the tech world.
No more 'Like' gates to view content, get rewards
Have you ever been coerced into "Like"-ing a page just to see some content or qualify for a reward of some kind? Last week Facebook updated its Platform Policy for developers to make any kind of forced page liking a violation of the service's terms of use.
According to an August 22, 2014, article by Nathan Hole and James Taylor of the JDSupra Business Advisor, sites are no longer allowed to press the Like button on a page before they can view a video, for example. However, there's a fine line between what Like-baiting is allowed and which is verboten. Sites can reward points when 10 of their friends download a particular app, for instance, but they can't reward points simply for inviting 10 friends to download the app.
Will this increase the chances that people actually like the pages or apps they "Like" on Facebook? Something tells me the Like-baiters will find other ways to artificially inflate their popularity on the service. When it comes to Likes, it's usually a case of click first, think second.
FTC goes after a company that lost customer data, company cries 'Foul!'
After the Wyndham Hotels suffered its third data breach in two years, the Federal Trade Commission filed a complaint against the company for not taking reasonable steps to protect its customers' data. As Forbes' Kashmir Hill reported in an August 21, 2014, article, the hotel chain asked the court to dismiss the case because the FTC lacked regulatory authority to oversee data security.
The court disagreed, as do most data-security analysts. The fact is, many companies do very little to prevent data breaches because there's no incentive for them to protect their customers' data. For example, TrendNET's IP video cameras are trivially easy for hackers to access, so the FTC recently required that the company improve the built-in security of the devices.
Companies such as Wyndham Hotels claim they lack guidelines from the FTC that would let them know the level of security they are expected to provide. The case indicates the need for federal legislation that standardizes data-security requirements for companies outside the medical and financial industries. It also puts all organizations on notice that data security is a core requirement of all their products and services.
To which I say, "Hooray!" and "Hooray!" You go, FTC!
A mobile phone company releases customer data -- and it's a good thing
When people travel, their cell phones are like digital footprints that let their phone company track their every move. Now that tracking data is being used to model how people in West Africa are moving within the area afflicted by the Ebola epidemic.
MIT Technology Review's David Talbot described in an August 21, 2014, article how the Swedish data-analysis firm Flowmaster created a model of regional transportation patterns in Liberia, Guinea, Sierra Leone, and neighboring countries. The model is based on data released by Orange Telecom that traces 150,000 phones registered to people in Senegal in 2013. The data was anonymized and aggregated, according to the companies.
It is also intended only to help predict the spread of Ebola, and not to plan any travel restrictions in the area, the firms insist. The data had already been authorized for release for another unrelated project, but security and privacy concerns persist. With some effort, the data could be unanonymized to identify the businesses and consumers associated with individual phones.
When you consider the potential of the data analysis to save lives, it's difficult to argue against release of the cell-phone information. This may be one instance where the public good outweighs the private interest.
Clickless approvals don't qualify as 'reasonable notice' for terms of service
We do it all the time: We're so anxious to start using a new app or Web service that we blow right past the "terms" link without glancing at what it is we may actually be agreeing to. Down the road, we realize we didn't get what we expected, or we're unpleasantly surprised in some other way. Our complaints to the vendors go nowhere; they just point to some obscure paragraph buried deep in a 10,000-word terms-of-service agreement.
"But, but... you didn't tell me." In a recent case, the Ninth Circuit of the U.S. District Court of California ruled that such agreements apply only if the person took the affirmative action of clicking an "I agree" box, and only if it would be reasonable for a person to anticipate such a rule. As reported in an August 19, 2014, post on the Public Citizen blog, users aren't bound to a service's terms when they are presented only as a link on the bottom of a page. Absent an "I agree" checkbox and other reasonable attempts to provide users with notice of the terms' existence, they simply don't apply.
In Nguyen v. Barnes & Noble, the retailer tried to enforce an arbitration clause that was included in terms that required no overt act of acknowledgement by customers. So without a click, those terms won't stick.
Baby steps closer to authentication that doesn't rely on passwords
When a company claims that one of its trade secrets has been violated, the courts require that the company prove it took steps to secure the information from unauthorized use. When Wayman Fire Protection attempted to demonstrate that it met the security-measures threshold by password-protecting the documents it claim were trade secrets, the court ruled "Uh-uh."
An August 22, 2014, article on the JDSupra Business Advisor site attributed to Quinn Emanuel Urquhart & Sullivan, LLP, states that the Delaware Court of Chancery ruled against the company, finding that in this case, password-protection alone was insufficient to maintain trade-secret status. The two documents in question were taken from the company's Salesforce.com account.
A former Wayman employee had copied files from the account along with others on his backup drive and then shared them with his new employer, a Wayman competitor. After losing a bid to the competitor, Wayman sued the company, which conceded liability on several issues. However, the court ruled against Wayman on its claim of misappropriation of trade secrets. Simply applying a password isn't enough to indicate that the information is considered a trade secret.
So courts are starting to recognize that passwords aren't a particularly secure way to secure sensitive information. Maybe this will help organizations decide to give passwords the boot as their primary means of authenticating their employees and customers. Alternate authentication technologies are available that put passwords to shame.
The most recent example of biometric authentication going mainstream is the eyeball selfie. As Sarah Buhr explains in an August 20, 2014, article on Tech Crunch, EyeVerify has garnered some big-name backers for its ID-verification technology based on the blood vessels in your eyeball. Just hold your phone eight inches from your eye, take a picture, and EyeVerify matches the blood vessel pattern with the image it has on file for you.
Eyeball selfies offer advantages over competing biometric authentication methods: they're more difficult to defeat than fingerprint readers and more accurate than voice recognizers, according to the experts. To my way of thinking, we're getting very close to ABP (anything but passwords).
Have you ever been coerced into "Like"-ing a page just to see some content or qualify for a reward of some kind? Last week Facebook updated its Platform Policy for developers to make any kind of forced page liking a violation of the service's terms of use.
According to an August 22, 2014, article by Nathan Hole and James Taylor of the JDSupra Business Advisor, sites are no longer allowed to press the Like button on a page before they can view a video, for example. However, there's a fine line between what Like-baiting is allowed and which is verboten. Sites can reward points when 10 of their friends download a particular app, for instance, but they can't reward points simply for inviting 10 friends to download the app.
Will this increase the chances that people actually like the pages or apps they "Like" on Facebook? Something tells me the Like-baiters will find other ways to artificially inflate their popularity on the service. When it comes to Likes, it's usually a case of click first, think second.
FTC goes after a company that lost customer data, company cries 'Foul!'
After the Wyndham Hotels suffered its third data breach in two years, the Federal Trade Commission filed a complaint against the company for not taking reasonable steps to protect its customers' data. As Forbes' Kashmir Hill reported in an August 21, 2014, article, the hotel chain asked the court to dismiss the case because the FTC lacked regulatory authority to oversee data security.
The court disagreed, as do most data-security analysts. The fact is, many companies do very little to prevent data breaches because there's no incentive for them to protect their customers' data. For example, TrendNET's IP video cameras are trivially easy for hackers to access, so the FTC recently required that the company improve the built-in security of the devices.
Companies such as Wyndham Hotels claim they lack guidelines from the FTC that would let them know the level of security they are expected to provide. The case indicates the need for federal legislation that standardizes data-security requirements for companies outside the medical and financial industries. It also puts all organizations on notice that data security is a core requirement of all their products and services.
To which I say, "Hooray!" and "Hooray!" You go, FTC!
A mobile phone company releases customer data -- and it's a good thing
When people travel, their cell phones are like digital footprints that let their phone company track their every move. Now that tracking data is being used to model how people in West Africa are moving within the area afflicted by the Ebola epidemic.
MIT Technology Review's David Talbot described in an August 21, 2014, article how the Swedish data-analysis firm Flowmaster created a model of regional transportation patterns in Liberia, Guinea, Sierra Leone, and neighboring countries. The model is based on data released by Orange Telecom that traces 150,000 phones registered to people in Senegal in 2013. The data was anonymized and aggregated, according to the companies.
It is also intended only to help predict the spread of Ebola, and not to plan any travel restrictions in the area, the firms insist. The data had already been authorized for release for another unrelated project, but security and privacy concerns persist. With some effort, the data could be unanonymized to identify the businesses and consumers associated with individual phones.
When you consider the potential of the data analysis to save lives, it's difficult to argue against release of the cell-phone information. This may be one instance where the public good outweighs the private interest.
Clickless approvals don't qualify as 'reasonable notice' for terms of service
We do it all the time: We're so anxious to start using a new app or Web service that we blow right past the "terms" link without glancing at what it is we may actually be agreeing to. Down the road, we realize we didn't get what we expected, or we're unpleasantly surprised in some other way. Our complaints to the vendors go nowhere; they just point to some obscure paragraph buried deep in a 10,000-word terms-of-service agreement.
"But, but... you didn't tell me." In a recent case, the Ninth Circuit of the U.S. District Court of California ruled that such agreements apply only if the person took the affirmative action of clicking an "I agree" box, and only if it would be reasonable for a person to anticipate such a rule. As reported in an August 19, 2014, post on the Public Citizen blog, users aren't bound to a service's terms when they are presented only as a link on the bottom of a page. Absent an "I agree" checkbox and other reasonable attempts to provide users with notice of the terms' existence, they simply don't apply.
In Nguyen v. Barnes & Noble, the retailer tried to enforce an arbitration clause that was included in terms that required no overt act of acknowledgement by customers. So without a click, those terms won't stick.
Baby steps closer to authentication that doesn't rely on passwords
When a company claims that one of its trade secrets has been violated, the courts require that the company prove it took steps to secure the information from unauthorized use. When Wayman Fire Protection attempted to demonstrate that it met the security-measures threshold by password-protecting the documents it claim were trade secrets, the court ruled "Uh-uh."
An August 22, 2014, article on the JDSupra Business Advisor site attributed to Quinn Emanuel Urquhart & Sullivan, LLP, states that the Delaware Court of Chancery ruled against the company, finding that in this case, password-protection alone was insufficient to maintain trade-secret status. The two documents in question were taken from the company's Salesforce.com account.
A former Wayman employee had copied files from the account along with others on his backup drive and then shared them with his new employer, a Wayman competitor. After losing a bid to the competitor, Wayman sued the company, which conceded liability on several issues. However, the court ruled against Wayman on its claim of misappropriation of trade secrets. Simply applying a password isn't enough to indicate that the information is considered a trade secret.
So courts are starting to recognize that passwords aren't a particularly secure way to secure sensitive information. Maybe this will help organizations decide to give passwords the boot as their primary means of authenticating their employees and customers. Alternate authentication technologies are available that put passwords to shame.
The most recent example of biometric authentication going mainstream is the eyeball selfie. As Sarah Buhr explains in an August 20, 2014, article on Tech Crunch, EyeVerify has garnered some big-name backers for its ID-verification technology based on the blood vessels in your eyeball. Just hold your phone eight inches from your eye, take a picture, and EyeVerify matches the blood vessel pattern with the image it has on file for you.
Eyeball selfies offer advantages over competing biometric authentication methods: they're more difficult to defeat than fingerprint readers and more accurate than voice recognizers, according to the experts. To my way of thinking, we're getting very close to ABP (anything but passwords).