Privacy in the Net

In this task we are going through privacy policies. Usually all web sites have them, but no one bothers to read them and then people wonder how do they receive spam and unwanted advertisements. We got down and ugly in this issue!

We selected to inspect Google (not including Postini, which offers e-mail security services) and Evernote. Their privacy policies can be found here and here, respectively. Although the services the companies provide differ quite a lot, they both handle a lot of private information.

Google very likely needs no clarification.

Evernote is a service that provides note taking in a cloud. Users are able to sync their notebooks across various devices including desktops, mobile phones and different mobile gadgets. It is used by millions of users across the planet. This company is operating in an highly competitive market, for example Google itself had a similar service called “Notebook” but then its development was shut down due to management of the company thinking that it was not promising for Google. Other services do exist as well, but Evernote is known to be a ‘de facto’ leader in note management.

There is a possibility to open company-wide accounts called “Sponsored” where all members of a certain institution can be participating in updating one single database of knowledge/valuable information. Various companies use it for conducting research and sharing crucial for their business information, which possessed in wrong hands can cause serious damage to the enterprise. In this case the privacy of information stored in Evernote is very important.

Privacy policies typically contain information on how the business gathers, handles stores and distributes data they may receive from their users. In general, companies usually reserve the right to distribute the data to their partners (variations on the amount of given data), declare that they are taking measures against not giving the data out unintentionally to third parties (both through network or physical) and which laws they apply in their operations (for example the legislation of USA). Privacy policies can differ quite a bit depending on the operating range of the business, since usually smaller companies do not focus that much on those issues due the smaller customer base. When the business grows, it is more likely that the company draws unwanted attention from hackers or that they start to expand their operations and distribute the gathered data to their associates, which might then lead to problems with the customers.

Evernote mentions one interesting detail in their privacy policy:

“Evernote may allow third party business partners that display advertisements on some of our web pages to maintain their own cookies on your computer. These business partners do not have access to Evernote's cookies and their use is subject to their own privacy policies.”

In our opinion it might be a threat to user’s policy since cookies are known to be a possible gateway for attacks.

Another point which drew our attention was the following:

“Evernote complies with the U.S. Federal Trade Commission (FTC) Children's Online Privacy Protection Act (COPPA), which requires us to inform parents and legal guardians about how we collect, use and disclose personal information from children under 13 years of age.

   

Evernote is not currently directed to children and we currently require users to verify that they are at least 13 years of age upon registration. We will not knowingly collect personal information relating to children under 13 years of age, and if we learn that we have inadvertently done so, we will promptly delete it.”

Although Google very likely operates with minors below this age, they had no mention of this matter in their privacy policy. It could be, that one below the age limit is not able to register him/herself with Google services, but it still seems quite odd that they do not state it openly. Some of the services Google provides (e-mail, search engine) are bound to relate to minors, so it remains  unclear how Google handles those situations.

More or less, the privacy policies of these two companies share same points and provide comprehensible information for those who may be interested in reading them. Google provides strictly structured points of their view of privacy that users of their services have. Also, Google mentions service-specific sets of policies. Evernote, on the other hand, has a more detailed policy published on their site, but it is also clear and mostly easy to understand. Both of these companies probably spend a reasonable amount of money on lawyers who carefully think about every word in the policies that they have. In general, it seems that Google is more strict with the distribution of the collected data, but as Google has more partners as Evernote, the result is still the same: a third party might always know something that you wish not.

Ideagoras

The task we’ve been given this week is related to ideagoras. The term means modern day agoras usually hosted in the Internet and we’re speculating now the pros and cons of them and also try to find out some possible uses for them in matters near to us (more info about agora and ideagora).

There is a large number of challenges and competitions that utilize the ideagora approach. One example is Google’s challenge for creating a project of going to Mars with a camera and receiving the first video of a planetary flyby. It’s more like a challenge but I’ve heard that there were teams of people who were cooperating using ideagoras as an approach.

Some ideagoras in the web utilize quite high prizes for the people trying to solve the problem given (eg. www.innocentive.com). It’s a good stimulus for private individuals who can benefit from for example privately conducted research done previously. At the same time people can create their small companies and use challenges presented at the sites like the one mentioned before for their start-up, though it might be quite risky. Big companies that possess large numbers of competent people in their staff can assemble groups of specialists, who are familiar with the topic and who won’t need much time for background research: it can be a source of easy money.

Amazon’s Mechanical Turk uses a different approach, where people who have tasks to solve post small challenges, valued in cents, not thousands of dollars. In this site the biggest reward when this article was being written was $46.50 (when at Innocentive it was $100000). Individuals are more likely to benefit from it financially. Although, it is likely that competition is much higher in this case and one’s started work might be declined and a solution presented by someone else is taken into consideration instead.

Ideagoras can also be used for false purposes: bit by bit one could for example get a complete thesis work done with barely working him/herself at all. That would count as plagiarism, but it would be nearly impossible to check for, since the material is produced by multiple persons and compiled from that.

In developing countries, for example Ukraine, one can find advertisements in metro cars about offers to do Bachelor’s thesis for money or tasks like that. In Kiev there are hundreds of sources of getting your thesis done with minimum effort. There it is legal and laws don’t prohibit that. Those companies/individuals that offer that sort of services can consider going to the site like we mentioned in this article and offer their services/ find tasks that they can complete received from all over the world. This is a business idea, although it goes in the gray area of ethics in science.

Another drawback is that whenever a person gives a result to the given problem in an ideagora, the result has to be checked thoroughly, since there is always the possibility, that someone is just trying to use the system to gain rewards with false results. There is also the possibility that someone could use some ideas that they’ve worked out for someone else to their own gain, possibly negating any benefit to original person posting the ideagora even if it was answered in a manner suitable for payment.

In overall, the idea of ideagoras is quite good and it has a lot of power, when it is utilized for the “right” purposes. It can benefit all the parties related to it, both the doer and the employer. It has it’s own drawbacks (answers might take some time, they might be inaccurate etc.) but it’s still worthwhile to keep the systems running.

In Ville’s opinion, ideagoras are used in some sense already in the IT field. For example programmers can search up answers to a specific problem they are encountering from the Internet. Although no money is related to these answers and questions, the systems usually work two-way: you have to post good answers in order to see some answers to your questions.

Our university could utilize the idea by offering the possibility for solving bigger problems to companies as a part of the students studies: thesis, project studies etc. This is already done in some degree, but involving more companies on a larger scale in Finland, or even Europe, might benefit the university, the student and the companies (more graduating students, easier to find thesis topics, problems getting solutions).

Digital divide

In this task we are speculating around the issue of digital divide: traditionally it has meant the gap between people who have access to the Internet and those who don’t. These days it can also mean the gap between broadband users and slower connections, since networks services are developed towards heavier bandwidth usage.

The problem is more obvious in a developing part of our world. In places like Ukraine, Russia, African countries Internet access is still considered to be a privilege rather than a basic need. Especially in rural areas getting stable connection to Internet is practically impossible. Also, corrupted governments benefit to the fact that companies have no regulations on providing Internet connection. Pavlo has experience in dealing with ISPs which offer very little for big prices. In Ukraine getting 3G connection will lower your budget by €20-30 a month and in some cases Internet works practically 1-2 hours a day, and during night, because of high load of users compared to the network capability. When the users complain to their provider they get replies like: “We do not know anything. It must a problem on your side”. Getting a wired connection can be even more expensive since usually they are offered by monopolies in that sector that regulate prices on their own.

Aforementioned problems that people face in the developing part of our world also mean that companies operating in eBusiness face tough challenges in their operations and their services are often limited to people living in one or two cities in the whole country.

Fortunately, world organizations such as UNICEF realize a problem of digital divide and they offer their help to especially such unprotected groups of people like children in Africa. In 2006 a program  “One Laptop Per Child”, which goal was providing laptops for schools for free, took place. MIT developed a laptop which was capable of running powered by solar energy, which is in plenty in Africa. Its cost was only $100. Also, another program from is being thought over in Canada. AHumanRight.org, organization that is doing research on means of providing free basic Internet access to developing countries like those in Africa, is thinking about buying TerreStar-1 satellite (satellite of TerreStar company making satellite telecommunications) and reconfiguring it to establish that service for poor countries. It can virtually remove digital divide in the part of the world where this issue (building the backbone network for the users) is at its strongest. Of course, other problems will still take place, like the prices of computers.

When considering it from the current digital divide in the Western world (broadband vs <256kBps), the problem is very clear. If the customer is living inside city limits, it is usually very easy to get a broadband connection with decent costs in installation and upkeep. But when one is located some ways outside of city limits, the available connection speeds drop and prices rise. For example in the US, getting a wired broadband connection might be completely impossible, and the user has to rely on 3/4G networks. Then problems like connection throughput and stability start to rise.

In our opinion, Internet access should be a right for every person living in the Western world. Whether the consumers should have broadband or narrowband connections is not that big issue. The key point should be that there is a stable connection working when it is needed and the pricing is not ridiculous when compared to average salaries and costs of life. Third world would greatly benefit from having the same situation, but the problems there are far greater than merely the lack of broadband (no electricity, possible ongoing warfare, language barriers etc), but as the situation improves, they should try to focus on getting this possibility to their inhabitants. Internet does remove or reduce the need for regular mail, old phone line connections, and help in educating and civilizing people.

Viruses and hackers

In this task we are speculating problems related to computing: viruses and hackers.

Anyone who has spent extended amounts of time working with computers has very likely had some experience with viruses.

For instance, most of Bill’s experience has come from relatives who downloaded software that installed trojans and other viruses on PCs. While most were easily removed, there was one that disabled the firewall and the anti-virus on the PC. Other viruses, also trojans, have also been found by him in "cracks" for various PC programs. On one computer at a place he worked, a virus redirected all websites to various porn sites, causing various problems. 
All were fixed by booting into Windows Safe Mode and removing the virus via anti-virus software or by manual deletion of all infected files. In some cases, a complete reinstallation of the system OS was necessary.  In one case, the computer was fixed by using Window XP’s repair mode.

In all cases, the virus infections were the result of a lack of knowledge on the users’ parts and not any flaw with the operating systems themselves.  Regardless of this, Bill hasn’t experienced e-mail viruses despite the emphasis put on this by various authorities.

Malware has been a larger issue for Bill while working on PCs for other people. One annoying thing has been various forms of spyware that install themselves without permission. Another is the very obstructive “search bar” browser add-ons.

For some very odd reason, viruses can be found on some PCs after running a scan yet have found no performance issues with them nor any alerts by various firewalls. Not only that, but the files that the "viruses" were found in were, after some research, testing with false positives.

On the other hand, Pavlo has not had a lot of problems caused by viruses. He switched to Linux-based systems a few years ago and it virtually cut him off from the world of viruses since the number of viruses designed for Linux/ Mac OS is relatively minimal.

Ville has experienced all sorts of viruses, ranging from small data miner softwares to full-out backdoor traps. In general, 99% were related to Windows environment and also required the user to actually do something (open a file, link etc), instead of spawning forward without the user knowing. Ville noticed the same thing as Pavlo: switching the OS to Linux-base relieved him of such problems, since majority of viruses are designed for Windows environment, since majority of PC's run that environment.

As for hackers, the Request for Comments RFC 1392 states that one is "a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular." Unfortunately, not all hackers limit themselves on just that. Many hackers find pleasure in doing illegal actions for the sake of earning dirty money and not just knowledge of how things work. The hacker movement has its roots in 60s when it started as a hobby of programmers and other IT-people that were curious about the workings of the IT systems in those days. While it started as a recreational hobby, it’s now a profession for many IT-specialists which are either black (bad) or white (good) hackers. 

There have been a large number of notable hackers.
One of them is Jonathan James - he was already a hacker at 16 years old when he was arrested and sentenced. He had managed to get into NASA’s network and steal 1.7 million dollars worth of software which was created to control various systems on the International Space Station. Jonathan himself later commented that he did so in order to improve his knowledge of C language of programming and, moreover, as he stated, that the stolen software was “... crappy ... certainly not worth $1.7 million like they claimed."
http://www.itsecurity.com/features/top-10-famous-hackers-042407/  

There can also be a different type of hacker. A good example is Kevin Mitnick, who used social skills and manipulation in order to gain access where he shouldn't be able to. He pointed out that the weakest point in information security is usually looking at the screen, so software faults and weak points are not always to be blamed at: the users need to know what they are doing and what/who they can trust. Most viruses and malware take advantage of this social weakness: they trick themselves in the system via user ignorance.

Export restrictions

In this task we are required to explain and consider the effects of restrictions on exporting strong encryption systems. The US government wants to do this thing, and we're about to express our views on the subject.

In our opinion, the government is trying to control the people. This is a remnant from the Cold War era, and in the modern world this should not be accepted. In our view the main reason is that if regular people can encrypt and therefore block the access of the government to their data, the government claims that there can be people threatening the country and it's peoples security. Which in the past 50 years of US policy is not acceptable, and therefore they try to restrict the ways of average Joe hiding from their all-seeing eyes (for example the rumored Echelon system).

There has been a lawsuit against the government by a civilian, who wanted to publish his article about his encoding systems and the government tried to ban it. First case was won by the civilian, second lost on the grounds that there was no real threat from the government to the civilian. After another case in the same field, it was ruled that software source code is protected by the First Amendment of the US (freedom of speech).

As always, there are pros and cons. Privacy, other countries and businesses secrets are always compromised to a system, which is controlled by "someone". There are serious threats in this style, since there is always a human on the other side, which can "leak" and therefore ruin the whole national security issue. Ville also sees that controlling the people totally is wrong: we should be living in a free world.

On the positive side: if the encryption methods are restricted and regular people can not access them, the government can protect the nation better. This sounds like a police state diplomacy to us, but to what lengths are we prepared to go in order to protect ourselves? Or are we just plain paranoid?

Internet is all about being worldwide and open. It should not be completely controlled by nations by their own ruling (e.g. China and North Korea), because people should have the right to express themselves and access all information available, even though it would be against the country's current policies. In the western nations it is highly hypocritical to blame China for being a dictatorship and then perform these kind of restricting acts on their own people.

Change of focus

As our studies progress, so must this blog.

We are changing the topic to Information security in eBusiness, and all the following posts will be related to that topic.

Weekly task six: Search engine optimization

In this task we are practicing search engine optimization. We decided, that we would start a company selling baby clothing. We chose to use the keywords "baby", "clothing" and "apparel".

The competition situation is as follows (fun fact is, that it depends on which computer you search on: this was done on Pavlo's computer and the results are different on other computers):

Our strongest competitors are motherhood.com, babycity.co.uk and mothercare.com (which appeared on all of our results when cross-checked).

Motherhood.com has quite a lot of errors in W3-validation, but it does have quite good metadata related to the content. A good fact is, that they sell only clothes to pregnant women, which gives us upper hand on getting over it in the baby context.

Babycity.co.uk checks out from the W3 with only a few errors and they have decent metadata. The problem is, that it is misleading: they sell baby clothing in a minor part only and focus on pregnancy and baby care-taking items.

Mothercare.com seems to share the details with motherhood.com, except for the details about pregnancy clothing. Although there is metadata, it is not exact and the meta keywords could also be slightly better. The title of the page is way too long in order to be spot-on.

In overall the competition seems to be done in a half-good way: important matters are there, but they could be better and more accurate. That's where our company is going to strike.

We decided to make a good, short and exact title, get the meta description the same and then add a lot of keywords related to baby clothing (at least baby, clothing, apparel, clothes, children, small). The oddish part is, that it seems that just by focusing on offering actual baby clothing we could rise to the first place, since most of the competition is selling a smaller selection of items (it has directly nothing to do with SEO, but Google seems to show frequently visited sites higher, so by gaining popularity we would gain popularity).

We would like to mention the inconsistency among Google search results depending on the computer. As said, SEO is more like magic and here it can be seen: results differ heavily, which means that there should be some air for new competition (at least hopefully). We tested out on four different computers with the same search words and the results varied every time; how could we then guarantee that our site would be in the top, when even the major players can't?