copyright 2013 1 roger clarke xamax consultancy, canberra visiting professor in computer science,...
TRANSCRIPT
![Page 1: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/1.jpg)
Copyright2013
1
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor in Computer Science, ANUand in Cyberspace Law & Policy, UNSW
Wirtschaftsinformatik Forum – GI Deutsches Eck Universität Koblenz-Landau
17. Januar 2013
http://www.rogerclarke.com/EC/eCIS {.html, .ppt}
eConsumer InsecurityFive Headlines – Sensationalist But
True
![Page 2: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/2.jpg)
Copyright2013
2
What Do eConsumers Do?
• Inter-Personal CommsEmail, Chat/IM
• Content Discoveryand Access
• Reading
• Content PublicationWeb-Sites, Blogs, Personal Galleries, Music, Video
• Doc Prep
• File-Sharing with Friends, Colleagues
• Personal DatabasesAccounting, Investments, Hobbies, Family Trees
![Page 3: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/3.jpg)
Copyright2013
3
Consumer Computing
Email clients, usingsmtp/pop/imap
Personal Web-Sites
Dedicated Devices
Office on the Desktop
FTP-server and -client
[Books]
Webmail, usinghttp / https
Flickr, Picasa, 3rd Party Blogs
iTunes
Zoho, Google Docs
Dropbox
eBooks, Rented
Functions Applications ==>> Services 1975-2000 2000-Email
Personal Galleries
Personal Music
Doc Prep
File-Sharing
Readinghttp://www.rogerclarke.com/EC/CCC.html
![Page 4: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/4.jpg)
Copyright2013
4
A Participant-Oriented Classification of Social Media
Interaction
Broadcast
Collaborationor
Sharing
few1
many1
1 1
Content
Indicator
Gaming
many1
OR(Closed)
(Open)
(Semi-Open or Open)
Email / Chat-IM / Skype
Web-Pages'Walled-garden' 'wall-
postings'YouTube
Wikis
Dis/Approval'Like', '+1'
Second Life
http://www.rogerclarke.com/DV/SMTD.html
![Page 5: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/5.jpg)
Copyright2013
5
eConsumer Wants – 1 of 4The Basic Needs• Does it do what I want it to do? [Fit]• Will it be there when I want it? [Availability,
Reliability]
http://www.rogerclarke.com/EC/CCC.html
![Page 6: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/6.jpg)
Copyright2013
6
eConsumer Wants – 2 of 4The Basic Needs• Does it do what I want it to do? [Fit]• Will it be there when I want it? [Availability, Reliability]
The Basic Protections• How do I keep going if it stays fallen over for a long time?
[Service Interruptions]• Will you respond helpfully and quickly enough when I ask for help?
[Customer Service]• Will you lose my data, or muck it up? [Data Integrity]• Do I get my data back if you fall over or withdraw the service? [Survival]• Can I move my data to another supplier? [Lateral Compatibility]• Who can I complain to if I get dudded, and will they actually help me?
[Consumer Protection]
http://www.rogerclarke.com/EC/CCC.html
![Page 7: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/7.jpg)
Copyright2013
7
eConsumer Wants – 3 of 4More Advanced Needs• Will it keep doing what it does now? [Service Integrity]• Will it stay up-to-date? [Future Fit]• Will it fall over too often? [Robustness]• Will it come back quickly after it falls over? [Resilience]• Is my service protected against you, them and the gods? [Service
Security]• If bits of it are broken, will you fix it without breaking it some
more? [Maintainability]• Can I fiddle with it a bit if I need to? [Flexibility]• Can I move my data to an upgraded version? [Forward
Compatibility]• How long will old versions keep working for me?
[Backward Compatibility]• Am I breaking the law if I use the service? [Legal Compliance]
http://www.rogerclarke.com/EC/CCC.html
![Page 8: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/8.jpg)
Copyright2013
8
eConsumer Wants – 4 of 4More Advanced Protections• Am I going to get gouged? [Cost]• Can only appropriate people get in and do things?
[Authentication and Authorisation]• Can I get access to all data that you hold about me?
[Subject Access]• Is my data protected against you, them and the gods?
[Data Security]• Is my privacy protected against you, them and the gods?
[Privacy Controls]• If I terminate our relationship, will my data be irretrievably
deleted? [Fully Effective Withdrawal]• What happens to my data if I die? [Archival /
Memorialisation]
http://www.rogerclarke.com/EC/CCC.html
![Page 9: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/9.jpg)
Copyright2013
9
Headline 1:
Software on consumer devices becomes datedand local data is often not recoverable, but ...
eConsumer services are a very bad deal
![Page 10: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/10.jpg)
Copyright2013
10
The Terms of Service
• eConsumers can usually only know what Terms apply to an earlier transaction if they mirrored the Terms at the time
• The Terms applicable to the next transaction may not be the same as they were for previous transactions
• The Terms applicable to transactions and to the eConsumer’s data are entirely under the provider's control
• eConsumers can place no reliance on what they may have previously read or heard about the Terms
![Page 11: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/11.jpg)
Copyright2013
11
Second-Party Risk-Exposure Summary of Results
• 3 – the Terms provide the ISP with no right to use the data (iinet, Internode, Yahoo!)
• 2 – use is authorised, but ... only in a manner directly related to the contract (Infinite, Zoho)
• 1 – use is limited to 'access' - although what that limitation means is unclear (Dropbox)
• 1 – use is authorised "to provide the service" - which can be readily interpreted as being the service as a whole not just the service provided to that user (MS Live)
•• 2 – the ISP has very substantial rights (Google, LinkedIn)
http://www.rogerclarke.com/EC/IU-SPE-1012.html
![Page 12: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/12.jpg)
Copyright2013
12
In-Depth• No responsibility to provide the service,
or to do so reliably, or to sustain data stored in it• Subscribers must disclose physical location, even if
irrelevant• No internal complaints process• No rights to restitution, no liability for identity fraud• LinkedIn gains rights to customers' data that are almost
equivalent to the rights of the customers themselves• Unilateral changes to the Privacy Statement, without
notice• Storage in the USA under lax privacy laws• No undertakings to control staff behaviour• Enforced 'permission' to disclose personal data, "to
assist government enforcement agencies", without legal authority
• Inadequate subject access and correction rightshttp://www.rogerclarke.com/EC/LinkedIn-1012.html
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
![Page 13: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/13.jpg)
Copyright2013
13
The Cloudy Future of Consumer Computing
• Inaccessibility and Lack of Clarity of Terms• Service Malfunctions• Loss of Data• Provider Exploitation of Personal Data• Largely unfettered scope for changes to the Terms• Supra-Jurisdictionality and Use of Regulatory
Havens• Seriously Inadequate Consumer Protections
• Dominance of US marketing morés• Pro-corporate / anti-consumer US regulators• Meekness of regulators in other countries• Lack of Organised Consumer Resistance
http://www.rogerclarke.com/EC/CCC.html
http://www.rogerclarke.com/EC/CCEF-CO.html
![Page 14: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/14.jpg)
Copyright2013
14
Headline 2:
Mobile devices are irretrievably insecure
![Page 15: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/15.jpg)
Copyright2013
15
MalContent
• How Much Illegal Porn ison Your Personal DeVices?
http://www.rogerclarke.com/II/OffIm0511.html
![Page 16: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/16.jpg)
Copyright2013
16
MalContent
• How Much Illegal Porn ison Your Personal DeVices?
• Unexpected Email-Attachments and Microsoft Email-Emedded Files
• Unexpected Downloads over the Web
• Unwitting Downloads over P2P• Malware, Unauthorised Users, ...
http://www.rogerclarke.com/II/OffIm0511.html
![Page 17: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/17.jpg)
Copyright2013
17
MalContent
• How Much Illegal Porn ison Your Personal DeVices?
• Unexpected Email-Attachments and Microsoft Email-Emedded Files
• Unexpected Downloads over the Web
• Unwitting Downloads over P2P• Malware, Unauthorised Users, ...
• How can you know?http://www.rogerclarke.com/II/OffIm0511.html
![Page 18: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/18.jpg)
Copyright2013
18
MalBehaviour
• Many categories, includingFlaming, Incitement, 'Trolling', ...
• 'Social Engineering'Enveigling users into harmful actions, incl.• 'Phishing', esp. for authenticators• Download of 'free anti-virus software'
![Page 19: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/19.jpg)
Copyright2013
19
MalwareA Definition to Cope with the
Complexities Software, or a software component or feature,
that(1) is capable of being Invoked on a device;
and(2) on invocation, has an Effect that is:
• Unintended by the person responsible for the device; and
• Potentially Harmful to an interest of that or some other person
http://www.rogerclarke.com/II/RCMal.html
Virus Worm Spyware Backdoor / Trapdoor Remote Admin Tool Rootkit Drive-by-Download
![Page 20: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/20.jpg)
Copyright2013
20
Absolute-Minimum InfoSec Safeguards
Malware Detection and Eradication
http://www.xamax.com.au/EC/ISInfo.pdf
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.QuickTime™ and a
TIFF (LZW) decompressorare needed to see this picture.
![Page 21: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/21.jpg)
Copyright2013
21
Absolute-Minimum InfoSec Safeguards
1. Physical Safeguards2. Access Control3. Malware Detection and
Eradication4. Patching Procedures5. Firewalls6. Incident Management Processes7. Logging8. Backup and Recovery9. Training10.Responsibility
http://www.xamax.com.au/EC/ISInfo.pdf
![Page 22: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/22.jpg)
Copyright2013
22
Absolute-Minimum InfoSec Safeguards
1. Physical Safeguards2. Access Control3. Malware Detection and
Eradication4. Patching Procedures5. Firewalls6. Incident Management Processes7. Logging8. Backup9. Training10.Responsibility
As applicable to consumers as to business and government
![Page 23: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/23.jpg)
Copyright2013
23
Headline 3:
That's not a Password; it's a Passéword
Kennwort wurde schon Bekanntwort
![Page 24: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/24.jpg)
Copyright2013
24
Password Vulnerabilities and ThreatsDirect Acquisition• Visual Observation• Electronic Observation
Keystroke LoggingDiscovery of a Personal Password Database
• Interception• PhishingCompounding Factors• Use of One Password
for Multiple Accounts• Continued Use of a
Compromised Password
Indirect Acquisition• Guessing• 'Brute Force' Guessing• Compromise of the
Password-Reset Process• Compromise of a
Password Stored by a Service-Provider
• Acquisition and Hacking of a Password-Hash File
http://www.rogerclarke.com/II/Passwords.html
![Page 25: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/25.jpg)
Copyright2013
25
Access Control – Threats Safeguards
• What You Knowpassword, 'shared secrets'
• What You Haveone-time password gadget,
a digital signing key• Where You Are
your IP-address, device-ID
• What You Area biometric, e.g. fingerprint
• What You Dotime-signature of password-typing key-strikes
• Who or What You Arereputation, 'vouching'
• Interception Channel Encryption, e.g. SSL/TLS
• Rogue or Compromised Second Party Transmission and Storage of only a password hash
• Compromise of the Client One-Time Passwords, Variable Action Passwords
• Imposter Multi-Factor Use Authentication:
![Page 26: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/26.jpg)
Copyright2013
26
Headline 4:
Mobile devices are irretrievably insecure
Web technologies are designed to be insecure
![Page 27: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/27.jpg)
Copyright2013
27
Server Control of Consumer Devices
• Java Applets• ActiveX 'Controls'• 'Asynchronous JavaScript
and XML' (AJAX)• Drive-by Downloads• HTML5 • Mobile Apps
![Page 28: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/28.jpg)
Copyright2013
28
Drive-By Downloads• A big majority of requests to web-sites result in
Unrequested Content being pushed to the browser from other sites – variously 'strategic partners' and parasites
• Third-Party Tracking Cookies are imposed by the vastmajority of commercial web-sites, and are used by over 200 tracking companies (DoubleClick, et al.)
• Those companies use Additional Spyware to try to circumvent protections (web-bugs, Flash cookies, etc.)
• All of this is in breach of eConsumer consent
• Careful eConsumers use Protections
![Page 29: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/29.jpg)
Copyright2013
29
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
![Page 30: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/30.jpg)
Copyright2013
30
HTML
• Support for:• multi-media streaming• open channels as well as sessions• geolocation
• A way to subvert sandboxing• A way to subvert user control,
by inverting the Web from pull to push• A way to access local data and devices
(e.g. cameras, microphones), giving rise to "A Pandora’s box of tracking in the Internet”
http://www.sophos.com/en-us/medialibrary/PDFs/other/sophosHTML5andsecurity.pdf
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.QuickTime™ and a
TIFF (LZW) decompressorare needed to see this picture.
![Page 31: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/31.jpg)
Copyright2013
31
Mobile Apps
• Will Google and Apple protect eConsumers against other parties?
• Who will protect eConsumers against Google and Apple?
• Retrofitting of Mobile OS to the DesktopMac OSX iOS Android / bluetracks
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
![Page 32: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/32.jpg)
Copyright2013
32
Headline 5:
The spy in your pocket leaks your location,
10 times per second, and
to far more organisations than you thought
![Page 33: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/33.jpg)
Copyright2013
33
The Practicability of Location and Tracking
• Cell-Location is intrinsic to wireless network opsMore Precise Location is now mostly available
http://www.rogerclarke.com/DV/YAWYB-CWP.html
![Page 34: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/34.jpg)
Copyright2013
34
The Primary Geolocation Technologies
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
http://www.rogerclarke.com/DV/LTMD.html
![Page 35: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/35.jpg)
Copyright2013
35
The Practicability of Location and Tracking
• Cell-Location is intrinsic to wireless network opsMore Precise Location is now mostly available
• Tracking is feasible, because the handset sends a stream of messages
• Retrospective Tracking is feasible if the series of locations is logged (√), and the log is retained (√)
• Real-Time Tracking is feasible if the data-stream is intense (√) and latency is low (√)
• Predictive Tracking is feasible if the data-stream is intense (√) and latency is low (√)
http://www.rogerclarke.com/DV/YAWYB-CWP.html
![Page 36: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/36.jpg)
Copyright2013
36
Terms of ServiceImposed by ISPs on Consumers
• Substantial Rights to collect, use and disclose personal data, incl. location data
• Unilateral Power:• to change the Terms of Service• to do so without notice• to do so with immediate effect
• No Obligation to delete data, ever
http://www.rogerclarke.com/EC/IU-SPE-1012.html
![Page 37: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/37.jpg)
Copyright2013
37
Rampant Location and Tracking
• Through Pseudo-Consent:• Uncontrolled personal data collection• Uncontrolled personal data use• Uncontrolled personal data disclosure
• US data havens undermine EU protections• Consumer rights and data protection laws
inadequate for the task• Parliaments, Regulators asleep at the wheel
![Page 38: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/38.jpg)
Copyright2013
38
Headline Spare:
Unauthenticated payments are switching card risks from merchants to consumers
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.QuickTime™ and a
TIFF (LZW) decompressorare needed to see this picture.
![Page 39: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/39.jpg)
Copyright2013
39
Headline Bonus:
Social media services have only one business model,
and it's based on personal data exploitation
and behaviour manipulation
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.QuickTime™ and a
TIFF (LZW) decompressorare needed to see this picture.
![Page 40: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/40.jpg)
Copyright2013
40
![Page 41: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/41.jpg)
Copyright2013
41
Some Implications
![Page 42: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/42.jpg)
Copyright2013
42
Naive Advice from 1998'Apply Consumer-Friendly
Principles'• Information
• Choice
• Consent• 'opt-in' the norm• 'opt-out' with stringent
justification
• Fair Conditions
• Recourse
http://www.rogerclarke.com/DV/DirectMkting.html#Princ
![Page 43: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/43.jpg)
Copyright2013
43
Consumer-Oriented Social Media Features
Interoperability, Portability
• Content, Messages
Consent, which means:• Informed• Freely-Given• Granular not Bundled• Settings Management• Conservative Defaults
Trustworthy Terms
Identity Protections• Protected Pseudonyms• Multiple Identities• Caveats, Social Norms
and Reputations
Non-User Protections• Content• Social Networks
Location Protections
http://www.rogerclarke.com/II/COSMO-1211.html
![Page 44: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/44.jpg)
Copyright2013
44
Some Possible Measures
• IT Security Risk Assessment (SRA)done by someone, from the eConsumer Perspective
• IT Security Risk Management Planning (SRMP)done by someone, from the eConsumer Perspective
• Designed-In Security Safeguards• Practicable and Economic• Default and with Minimal Usability Trade-Off• Documented, with Tutorials
![Page 45: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/45.jpg)
Copyright2013
45
Ways to Get There
• Depend on the proactive and productive prosumer?
• Impose liability for designed-in insecurity?• Impose liability for serious security errors?
• Develop eConsumer Protection Law?http://www.rogerclarke.com/EC/ICEC06.html#TNT
• Impose Minimum Privacy Undertakings?http://www.rogerclarke.com/DV/PST.html
• Impose Standards on eConsumer Services?http://www.rogerclarke.com/EC/CCC.html#CRR
![Page 46: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/46.jpg)
Copyright2013
46
BYOD Issues• Hosting Organisation Perspective
• Need for Network Protection• Need for Device Challenge and Testing• Need for Minimum Security Standards• Need to provide Device-Cleansing Advice
• eConsumer Perspective• Transparency of the Organisation’s
Actions• Auto-Reporting of Sensitive Information• Exclusion from Services / Participation
![Page 47: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/47.jpg)
Copyright2013
47
Will Consumers Be Precluded From Owning General-Purpose Computing
Devices?
Many powerful groups will discover that they want it
• Copyright-Dependent Corporations• Government Censors• The Moral Minority, who want governments to extend
censorship to whatever content the moral minority thinks the majority shouldn't have access to
• (Dominant) Computing Device Providers (iOS, Android)• Law Enforcement & National Security Agencies
(LEANs)• 'Fraud Experts'• Employers and other Organisations permitting BYOD
![Page 48: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/48.jpg)
Copyright2013
48
eConsumer InsecurityFive Headlines – Sensationalist But True
Agenda• eConsumers• 5 Headlines
• eConsumer services are a very bad deal• Mobile devices are irretrievably insecure• Passwords are Passé; Kennwort heisst
Bekannt• Web technologies are designed to be insecure• Mobiles leak location, very often, far and
wide• Some Implications
![Page 49: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/49.jpg)
Copyright2013
49
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor in Computer Science, ANUand in Cyberspace Law & Policy, UNSW
Wirtschaftsinformatik Forum – GI Deutsches Eck Universität Koblenz-Landau
17. Januar 2013
http://www.rogerclarke.com/EC/eCIS {.html, .ppt}
eConsumer InsecurityFive Headlines – Sensationalist But
True
![Page 50: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/50.jpg)
Copyright2013
50
![Page 51: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/51.jpg)
Copyright2013
51
eConsumer Differentiation
• Education, Income, Wealth• Infrastructure Availability• Technical Capability
• Opportunity-Awareness• Leadership / Followership• Risk-Awareness, Risk-
Aversion
• Age / 'Generation'
![Page 52: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/52.jpg)
Copyright2013
52
The Generations of eConsumers
Indicative Indicative Generation Birth-Years Age in 2010Silent / Seniors 1910-45 65-100Baby Boomers – Early 1945-55 55-65Baby Boomers – Late 1955-65 45-55Generation X 1965-80 30-45Generation Y 1980-95 15-30The iGeneration 1995- 0-15
![Page 53: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/53.jpg)
Copyright2013
53
The Generations of eConsumers
Baby Boomers (45-65)Handshake/phone, PCs came late, had to adapt to mobile phonesWork is Life, the team discusses / the boss decides, process-oriented
GenXs (30-45)Grew up with PCs, email and mobile phones, hence multi-taskersWork to Have More Life, expect payback from work, product-oriented
GenYs (15-30)Grew up with IM/chat, texting and video-games, strong multi-taskersLife-Work Balance, expect fulfilment from work, highly interactive
iGens (to 15)Growing up with texting, multi-media social networking, networked games, multi-channel immersion / inherent multi-tasking?Life before Work, even more hedonistic, highly (e-)interactive
![Page 54: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/54.jpg)
Copyright2013
54
ActiveX 'Controls'• There is no ‘sandbox’. Access is given not just to
the browser but to the entire workstation• The designer thereby gains enormous power
over remote workstations• An ActiveX ‘control’ can be ‘authenticated’, but
that doesn’t assure that it will not be harmful• ActiveX security problems are far worse than
Java:“The embedding of ActiveX into the Internet Explorer web browser created a combination of functions that has led to an explosion of computer virus, trojans and spyware infections” (An over-ridden Wikipedia entry for ActiveX)
![Page 55: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/55.jpg)
Copyright2013
55
A ‘Lightweight Alternative’ – AJAX
• 'Asynchronous JavaScript and XML'• A Successor to the vague ‘Dynamic HTML’• Applies well-established tools:
(X)HTML/CSS -> XML, JavaScript/ECMAScript • Utilises the XMLHttpRequest Method of HTTP
in particular to enable partial-window-refresh• Involves an 'Ajax engine' within the
browser, which intercepts and processes user-requests and server-responses
http://www.rogerclarke.com/EC/Web2C.html#AltT
![Page 56: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/56.jpg)
Copyright2013
56
Headline Spare:
Unauthenticated payments are switching card risks from merchants to consumers
![Page 57: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/57.jpg)
Copyright2013
57
Contactless Chips
• RFID / NFC chip embedded in card
• Wireless operation, up to 5cm from a terminal
• Visa Paywave and MasterCard PayPass
• Up to $100 (cf. original $25)
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
![Page 58: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/58.jpg)
Copyright2013
58
Contactless Chip-Cards as Payment Devices
• RFID / NFC chip embedded in card
• Wireless operation, up to 5cm from a terminal
• Visa Paywave and MasterCard PayPass
• Up to $100 and $35 resp. (cf. original $25)
• Presence of chip in card is not human-visible, butLogo / Brand may be visible
• No choice whether it's activated• Operation of chip in card
is not human-apparent• No action required when within
5cm range, i.e. automatic payment
• No receipt is increasingly the norm
• Used as Cr-Card:Unauthenticated auto-lending
• Used as Dr-Card:PIN-less charge to bank account
![Page 59: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/59.jpg)
Copyright2013
59
• Authentication – None? / A Non-Secret? (but Yes, for Transactions >$100 Only)
• Act of Consent – None? / Unclear? / Clear?If the card is within 5cm of a device, whether seen or not
• Notification – None? / Audio? / Display?If 'None', then enables surreptitious payment extraction
• Receipt / Voucher – None? / Option? / Y?
Safeguards
![Page 60: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/60.jpg)
Copyright2013
60
Mobile Payments can be
• Faster• More Intuitive• More Convenient• Less of an Obstacle
![Page 61: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/61.jpg)
Copyright2013
61
Mobile Payments can be• Faster• More Intuitive• More Convenient• Less of an Obstacle
For the Thief Too
![Page 62: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/62.jpg)
Copyright2013
62
Risk Analysis Summary
• A lost, stolen or borrowed card can be used by anyone,for multiple transactions up to $100 at a time, without any form of authentication, against the credit or debit account the card it linked to
• The facility is in every card,the choice is merely to have a card or to not have one, and there is no 'Off' switch
• Many Parliaments and Consumer Protection Agencies have done absolutely nothing about it
http://www.rogerclarke.com/EC/CPS-12.html
![Page 63: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/63.jpg)
Copyright2013
63
Risk Management Possibilities• Reconcile your Statements. But:
• Statements are now very long indeed• Statements are increasingly online, not sent, and
charged for • The time available for challenges is limited (60 days?)• Many transactions will not match against a receipt• Many business names are not recognisable
• Query unrecognised transactions. But:• The consumer has no evidence, much detail, and is
uncertain• Only a minority of unreconciled entries will be fraudulent• Effort, time and fees are incurred for each challenge• Processes are designed to be inconvenient and slow (60
days?)• Card-issuers can refuse to reimburse
![Page 64: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/64.jpg)
Copyright2013
64
Headline Bonus:
Social media services have only one business model,
and it's based on personal data exploitation
and behaviour manipulation
![Page 65: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/65.jpg)
Copyright2013
65
A Participant-Oriented Classification of Social Media
Interaction
Broadcast
Collaborationor
Sharing
few1
many1
1 1
Content
Indicator
Gaming
many1
OR(Closed)
(Open)
(Semi-Open or Open)
Email / Chat-IM / Skype
Web-Pages'Walled-garden' 'wall-
postings'YouTube
Wikis
Dis/Approval'Like', '+1'
Second Life
http://www.rogerclarke.com/DV/SMTD.html
![Page 66: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/66.jpg)
Copyright2013
66
Currently-Available Social Media Genres
1-with-1/Few INTERACTION Tools• networked text email (asynchronous)• networked text chat / IM (synchronous)• SMS / texting from mobile phones• email-attachments, any format (asynch)• voice:
• over Internet (VoIP, Skype) (synch)• tele-conferencing (VoIP, Skype) (synch)• videophone (Skype Video) (synch)• video-conferencing (Skype Video)
(synch)
1-to-Many BROADCAST Tools• bulletin boards systems (BBS)• Usenet / netnews • email lists• web-pages• indexes (Lycos, Altavista, Google, Bing)• blogs (WordPress, Blogspot)• micro-blogs (Twitter, Tumblr)• glogs – wearable wireless webcams,
cyborg-logs, retro-nymed as 'graphical blogs'
• 'content communities', e.g. for images (deviantArt, Flickr and Picasa), for videos (YouTube), for slide-sets (Slideshare)
• closed / 'walled-garden' 'wall-postings' within SNS
(Plaxo, MySpace, LinkedIn, Xing, Reddit, Facebook, Google+)
1-with-Many SHARING Tools• Content Collaboration
• wikis (Wikipedia)• social news sites (Slashdot, Newsvine)• online office apps (Zoho, Google Docs, MS Live)
• Indicator-Sharing• 'social bookmarking' (Delicious)• dis/approvals (Digg's dig & bury, Reddit's up &
down, StumbleUpon's thumbs-up & thumbs-down,
Facebook's Like button, Google+'s +1 button)• Multi-Player Networked Gaming
• text-based MUDDs• social gaming sites (Friendster)• Massively Multiplayer Online Games (MMOGs),
esp. Role-Playing Games (MMORPGs), e.g. World of Warcraft
• online virtual worlds (Second Life)
http://www.rogerclarke.com/DV/SMTD.html
![Page 67: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/67.jpg)
Copyright2013
67
Social Media’s Business Model• 'There must be a way to monetise this somehow'• 'You will find something interesting here'
is a self-fulfilling prophecy, because people can be enticed to contribute 'something interesting'
• Contributors, and the people who come after them, can be enticed to click on targeted advertisements
• Targeting is based on:• profile-data that users supply about themselves• content that they have donated• their online behaviour while using the service• their online behaviour more generally• data that other people contribute about the user
![Page 68: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/68.jpg)
Copyright2013
68
Privacy Risks in Social Media• Second-Party Risk Exposure (Service-
Provider)• Content relating to Oneself• Content relating to Others• Social Networks including Oneself and Others
• Third-Party Risk Exposure• Openness that was Unanticipated • Openness through Breach of Original Terms• The Service-Provider's ‘Strategic Partners’• 'Syndication', to any player• Government Agency Demand Powers• Interception and Hacking
![Page 69: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/69.jpg)
Copyright2013
69
A Catalogue of Social Media Privacy Concerns
Source: Reviews of Media Reports 2005-11
1 Privacy-Abusive Data Collection
2 Privacy-Abusive Service-Provider Rights
3 Privacy-Abusive Functionality and User Interfaces
4 Privacy-Abusive Data Exploitation
http://www.rogerclarke.com/DV/SMTD.html
![Page 70: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/70.jpg)
Copyright2013
70
A Catalogue of Social Media Privacy Concerns
1 Privacy-Abusive Data CollectionDemands for User Data• identity data• profile data• contacts data, including users' address-
books:• their contact-points (some sensitive)• comments about them (ditto)• by implication, their social networks
Collection of User Data • about users' locations over time• about users' online behaviour, even when
not transacting with the particular service• from third parties, without notice to the
user and/or without user consent
2 Privacy-Abusive Service-Provider RightsTerms of Service Features• substantial self-declared, non-negotiable rights
for the service-provider, including:• to exploit users' data for their own purposes• to disclose users' data to other organisations• to retain users' data permanently,
even if the person terminates their account• to change Terms of Service:
• unilaterally• without advance notice to users; and/or• without any notice to users
Exercise of Self-Declared Service-Provider Rights• in ways harmful to users' interests• in order to renege on previous undertakingsAvoidance of Consumer Protection and Privacy
Laws• location of storage and processing in data havens• location of contract-jurisdiction distant from users• ignoring of regulatory and oversight agencies• acceptance of nuisance-value fines and nominal
undertakings
![Page 71: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/71.jpg)
Copyright2013
71
A Catalogue of Social Media Privacy Concerns
3 Privacy-Abusive Functionality and User InterfacesPrivacy-Related Settings• non-conservative default settings
• inadequate granularity
• complex and unhelpful user interfaces
• changes to the effects of settings, without advance notice, without any notice and/or without consent
'Real Names' Policies• denial of multiple identities
• denial of anonymity
• denial of pseudonymity
• enforced publication of 'real name', associated profile data
Functionality and User Interface• inadequate documentation and reliance on interpolation
• frequent changes; and/or without advance notice to users, without any notice to users and/or without user consent
User Access to Their Data• lack of clarity about whether, and how, data can be
accessed
• lack of, even denial of, the right of subject access
User Deletion of Their Data• lack of clarity about whether, and how, data can be deleted
• lack of, and even denial of, the user’s right to delete
4 Privacy-Abusive Data ExploitationExposure of User Data to Third Parties• wide exposure, in violation of previous Terms,
of:• users' profile-data (e.g. address, mobile-
phone)• users' postings• users' advertising and purchasing
behaviour• users' explicit social networks• users' inferred social networks,
e.g. from messaging-traffic• changes to the scope of exposure:
• without advance notice to users• without any notice to users; and/or • without user consent
• access by government agencies without demonstrated legal authority
Exposure of Data about Other People• upload of users' address-books, including:
• their contact-points• comments about them• by implication, their social networks
• exploitation of non-users' interactions with users
![Page 72: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/72.jpg)
Copyright2013
72
A Catalogue of Social Media Privacy Concerns
3 Privacy-Abusive Functionality'Real Names' Policies• Denial of multiple identities• Denial of anonymity• Denial of pseudonymity• Enforced publication of 'real
name', and associated profile data
![Page 73: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/73.jpg)
Copyright2013
73
A Catalogue of Social Media Privacy Concerns
4 Privacy-Abusive Data ExploitationExposure of Data about Other People• Upload of users' address-books, including:
• their contact-points• comments about them• by implication, their social networks
• Exploitation of non-users' interactions with users
• Disclosure of non-users' social networks
![Page 74: Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik](https://reader035.vdocument.in/reader035/viewer/2022062618/5513ee445503463a298b5ebf/html5/thumbnails/74.jpg)
Copyright2013
74
Social Media Privacy Disasters
• Plaxo, 2004http://www.rogerclarke.com/DV/ContactPITs.html
• Twitterhttp://tweepi.com/blog/2011/07/10-must-know-twitter-privacy-tips/
• Facebook, 2004-http://www.rogerclarke.com/DV/PrivCorp.html#FB
• Google Gmail, Orkut, Buzz, Google+http://www.rogerclarke.com/DV/PrivCorp.html#Goo04
• http://www.rogerclarke.com/DV/PrivCorp.html#Goo10http://www.rogerclarke.com/DV/PrivCorp.html#Goo12
• Instagramhttp://www.rogerclarke.com/DV/PrivCorp.html#Instagram