Every person who purchases a cell phone will be forced to register their personal identity as part of a national database, according to a British government plan to extend the powers of state surveillance.

Consumers would have to use an official form of ID, such as passport, when purchasing a cell phone. Naturally, privacy advocates fear that this marks another move by the government to create a surveillance society.

British officials have raised the idea of such a database containing consumer names and addresses  during recent talks with telephone companies such as Vodafone.

The move is directed especially at the 40 million prepaid mobile phone owners who aren’t required to give their names, addresses, or credit card. These pay-as-you-go phones are popular with criminals and terrorists due to their anonymity.

This move is aimed to supplement the plans of creating a database for monitoring and storing Internet browsing habits, telephone records and email of all people in Britain.

The proposal has caused a big backlash by government officials, warning that the database is impractical, too large, and potentially unlawful. Due to the discontent, the full unveiling of the plan has been delayed until next year.

So I joined MySpace about a week ago and was already annoyed at the way they sent me my password over email. But then, just a few days later, I got an email with my first MySpace message / friend request from someone named Riley whose profile picture is a girl in a swimsuit. Originally, her (or his?) profile showed the same city and state that I live in, though now it’s been changed to Greenville, Ohio. Here’s the text of the message:

“Heya sunshine!
I recently broke up (9 months ago) and am ready to date once again. I’m not looking for a serious relationship though. It’s too soon. A little about me: I’m adventurous, outgoing and open-minded. I’m pretty good-looking and healthy. I like going out but also dont mind snuggling! If you make me laugh, you’re half way into my heart. I was browsing the site; my best-friend. After figuring out how things worked I came across your profile. I’m interested! I hope you’re not shy and that you’ll respond. Please dont reply directly though, this is really not my profile, I’m just borrowing it. Send your reply to my real email address instead: kate_cannon_x@yahoo..

Thanks and have a nice day!”

Interestingly enough, I’ve used Facebook and LinkedIn for years now and have never had this problem (or the previous password problem I discussed). But MySpace, for being the most popular social network out there, continues to disappoint. And it’s only been one week!

Perhaps I’m the exception rather than the rule, but if anyone joining MySpace for the first time should expect spam posing as a wannabe friend within one week… Wow, it just seems like one more issue to fuel the lack-of-privacy fire.

In MySpace’s defense, they do have some spam settings in the privacy section of your profile. I suppose it’s nice to be able to customize those settings, but I wonder why the default setting gets me spam? I suppose that’s the catch-22 of social networking and privacy: default openness vs. default privacy. What should those defaults be?

I’m personally a fan of “opting in” to the “my profile is accessible to everyone in every possible way” configuration rather than having to “opt out” of it. But I get the impression that, in general, the default demographic for social networks may prefer it the other way around. And that can make implementing decent privacy settings all the more tricky…

Coincidentally, MySpace updated both their terms of use and privacy policy this past week. Of course, it’s not like I read that relatively long legal verbage every day (if ever). So I have no idea what might have changed recently.

                                                    
I picked on search engine Mahalo as an example of a company emailing its customers passwords. I mentioned how having your password floating around openly on mail servers can defeat the purpose of having a password in the first place. Mahalo’s founder and CEO, Jason Calacanis, joined the discussion and some good thoughts were shared from both sides of the issue.

Today I found out that MySpace is on the list of companies sending out passwords through email. I finally signed up (that could be a separate conversation, why I’ve ignored MySpace till now) and promptly got a welcome email with my password staring back at me. MySpace, though, takes it one step further and adds insult to injury by saying “Keep it secret. Keep it safe.” right below my visible password. As if I had a choice at that point, MySpace, you just made it less secret and less safe.

But, of course, I used a I-don’t-care-as-much-if-others-know password that I wouldn’t use for other “important” sites. And I’m sure that the hundreds of millions of MySpace users do the same (yeah, right). In all seriousness, though, I can see how certain sites don’t need the same level of security as others. As an example, there is an obvious difference between MySpace and your bank in terms of security.

In reality, though, there’s a wide spectrum of sites and services protected by passwords. It’s not black and white with only “banks” on the one side and “social networking” on the other. So who should decide which service deserves what level of protection? Well, in this case, it’s my opinion that it’s in the best interest of any company protecting your information with a password to avoid sending that password insecurely over email.

But assuming a world where there will always be companies that send passwords in emails, the very least they could do is tell you this before you decide on your password. That way, you’d know to what degree a company values the protection of your information before you decide on what password to give them.

One very simple implementation of this is that of a company showing you your password as you choose it. You’d then know that this should be a less important type of password. In fact, I’m not sure why asterisks are necessary to “hide” your password as you’re typing it the first time if 30 seconds later the same password previously hidden by asterisks is visible on screen in your email.

However the “less secure” message is conveyed before you create your password, is it too much to ask for this kind of disclosure from companies?

Note: This article is cross-posted at BobCaswell.com.

                                                    
Being that I’m studying for my bachelor’s degree in information technology security, I often find myself experimenting with certain computer security measures and countermeasures. Currently I’m enrolled in a class that focuses on computer and data forensics. Because of this, I have access to trials of some interesting computer forensics programs such as Access Data: Forensic Tool Kit (FTK) and Technology Pathways ProDiscover. Both of these are used by top computer forensics agencies for recovery and analysis of computer hardware and accessories.

Naturally I’ve been experimenting with this software (specifically with ProDiscover) over the past couple of weeks and have found that it is quite good at doing what it does. What is that, you ask? Well, ProDiscover can be used to capture an image from a data source such as a hard drive, jump drive…or even a GPS navigation device. An image such as this contains all of the digital information contained on the device, sometimes even deleted information. That leads me to the topic of today’s article. If you sell your old (or maybe new) GPS navigation device and you have taken the precaution to reset it to factory settings, does it really delete all your old contacts and data?

The answer to this question came surprisingly just a few days ago as I was getting ready to ship my TomTom ONE 3rd Edition navigation system to a buyer from Amazon.com. I realized that before I could ship the system, it would be important for me to have it erase my favorites and added points of interest. While this may not always be of the utmost importance, you may not want your potential buyer to have access to data regarding your home address and the addresses and phone numbers of your 100 closest friends.

In order to erase this data, I simply found the option in the preferences menu to reset the device to factory settings and confirmed my selection twice. Upon doing so, the device reset and allowed me to enter all the initial configuration information just like it would have you do the very first time you turned it on. All is well, or so I thought.

Being the curious type that I sometimes am, I decided it might be fun to connect the TomTom to my computer and have ProDiscover capture an image of it. My objective in doing this was to find out if any of my personal information could still be recovered from the device, AFTER it had been reset. I waited about 30 minutes until the imaging process was complete and what I found was not really too surprising, though maybe at the least a bit alarming. Even after the device had been reset, I could still find instances of both my home address and my school address in deleted files on the TomTom device. Granted, I did have to search for them specifically, but they were still there.

What does this mean? Probably not a whole lot, unless you are ultra paranoid about your personal information. Nine chances out of ten, no one will spend the time or effort to find this information on a device that you have sold. I tried this mainly just to see what would happen, and I ended up learning something in the process. With that said, it may be relevant for TomTom (and other GPS manufacturers) to include some sort of encryption layer for user data on the device, in the future. This way you could have the peace of mind that once you do a factory reset, your data really is inaccessible.

*Update* In related news, TomTom announced the release of two new products for the end of April: the TomTom GO 930 and the TomTom GO 730. Both have some pretty nifty features.

                                                    
Let’s face it; we all reuse the same password for login accounts all over the Internet. At best, some of us create a few passwords through which we rotate.

So why is it that some companies still insist on sending me my password via email right after I create my online account? The reason I have a password in the first place is so that it doesn’t flow back and forth openly in cyberspace only to reside peacefully on multiple mail servers.

This type of action, to me, is a sure sign of amateurs at work. In fact, it’s the lazy man approach for me to give (or take away) initial credibility to any company, startup or established: see how they handle the process of creating an online account.

So who gets picked on today? Search engine Mahalo, which is too bad, really, since they otherwise have plenty going for them. In their own words: “Mahalo is a human-powered search engine that creates organized, comprehensive, and spam free search results for the most popular search terms.”

It’s a fairly useful site and doesn’t require an account for much of what you can get out of it. But there are certain features and functions you do need an account for. So I signed up without hesitation and trusted the site subconsciously by using one of my “real” passwords. When I received the subsequent welcome email, there my password was, staring right back at me.

My only workaround to this all-too-common problem is to sign up with any new service with a token I-don’t-care-if-you-know-my-password password only to change it to a real password after a) I receive that initial “thanks for signing up, here’s your account info” email and see that the password was not included and b) find that I am interested in using the service for longer than just my first time of messing around.

But even then, I’ve seen some companies send out a “thank you for changing your password” update email which shows both your new and old password. (I’m not sure how Mahalo handles this; I haven’t gotten that far with them.)

What can make it even more of an eye roller is when the situation is thick with irony. I remember last year: An otherwise reputable affiliate program I signed up for wanted to make sure that my password was at least eight characters long and included both numbers and letters. It was then promptly sent out to my email. Wow. Thanks for making sure it was a good password!

Now, Jason Calacanis, the founder / CEO behind Mahalo seems like a reasonable guy. I’ve emailed him to ask for this to be changed (or an explanation). I can already give you the generic explanation I’ve heard before from other companies: “If you forget your password, you can just look it up in your email.” Here’s a better solution:

If I forget my password, I email support at mahalo.com (or whatever appropriate address) saying as much. Mahalo then should email me (only to the email registered in my account) a randomly generated temp password that only works for a limited amount of time. But it’s enough to get me into my account and allow me to change my password.

Is it a perfect solution? No. Just the first simple solution that comes to mind (that I’ve seen implemented elsewhere). There are other methods, too, like asking you for your mother’s maiden name / third grade teacher / favorite animal, etc. at the time of account creation. The site then asks you one of those questions if you’ve forgotten your password. Even then, though, it shouldn’t just let you in. Again, it should send a temp password to the email address on file.

I’m no security expert. But I do know that most any solution is better than automated open emailing of passwords.

*Update* Thanks to Jason Calacanis for responding (see comments below) and opening up for discussion via Twitter. For anyone interested, feel free to follow me on Twitter here.

Note: This article is cross-posted at BobCaswell.com.

The privacy and portability of your online data may become more of an issue in 2008. News is out today of a Federal case which will investigate whether the use of a false identity could be considered Internet fraud under federal statutes. This was originally triggered by the October 2006 case in which a 13-year-old named Megan Meier committed suicide after receiving “cruel” messages on MySpace (messages allegedly received from the mother of a school rival who was posing as a 16-year-old boy).

Take this news and mix in this BBC piece which discusses how Facebook will have an uncomfortable year due to privacy issues, and we’re back to question of who owns what data online? And who should be able to see what? These are not easily answered questions. After all, there are different types of data (email address vs. phone number, for example) and different types of decision makers (13-year-olds, twenty-somethings, baby boomers, etc.).

But even if more control and ownership were given back to the user, we’d still see conflicting opinions. For control, how granular should it be? While I may want lots of levers to pull for sharing and unsharing tidbits of my information differently with different people, someone else may find that confusing. And for ownership, how will we deal with the viral nature of information spreading? Even if you “own” something, what stops anyone with whom you’ve shared from doing whatever they want with your theoretically “owned” data?

It’s a big mess that many don’t care about (or are perhaps in denial?). But 2008 is shaping up to be the year where online data control and ownership will be in the spotlight.

The Wall Street Journal has the scoop on the latest Google news. Google is hoping to offer consumers a new way to store and access files online. The search giant is working on a service that would let you store essentially all of your files online (documents, music, photos, videos, etc.).

I already do this with Mozy for free. But Mozy works more as a backup that I generally access only when I need to restore files. Google wants to simplify the process of transferring and opening files such that you would actually be using your online files actively.

In true Google style, the service will be free for a limited amount of storage with charges occurring above a certain threshold. In fact, for an example of how this might work, take a look at Google’s Picasa Web Albums photo-hosting service. You can upload photos online and share them with friends, up to one gigabyte for free. You can then purchase 10 gigabytes to 400 gigabytes for around $20 to $500 per year. Just take that service, throw in other types of files and better accessibility, and you might have the GDrive.

Of course, all the standard issues will apply: data privacy, copyright, scalability, etc. We’re all accustomed to targeted ads along side our email in Gmail. But Google bots mining my documents to send me ads? No, thank you.

Copyright issues will also be a tricky one this time around. If these plans are true and Google makes it easy for consumers to share different types of files online as part of this new service, how will it address copyright complaints? One person familiar with the matter says Google is discussing with copyright holders how to approach the issue and has some “preliminary solutions.” Whatever the solutions, how likely would you be to move all your computing online if Google was watching over your shoulder to make sure you weren’t violating copyrights?

Google’s response to the privacy concerns seemed like it could have been taken seriously: “It is certainly approached with the utmost sensitivity on our end,” said a Google spokeswoman. “We have extensive safeguards in place currently to protect our user data and we have a very strong track record in this regard.”

I say “could have” because just a few paragraphs later, we find this:

“A document Google inadvertently released on the Web in March 2006 said it was moving toward being able to “store 100% of user data,” citing “emails, Web history, pictures, bookmarks” as a few examples. The document referred to what appeared to be unannounced Google initiatives, including one dubbed “GDrive” and said they could help compete with Microsoft.”

So Google wants me to entrust them with all my files when it has issues inadvertently releasing its own. Oh, the irony.

Here’s the latest in TechConsumer [Google] news:

Google Blogoscoped stumbled upon evidence which suggests the rumored GDrive (Google online storage) will be made available publicly, likely as part of Google Apps. Apparently, Google Apps accounts allow you to “change the query string parameter on the page where you can disable services.” The important part is that by doing this, the option to disable GDrive is given (even though it was never enabled). See the screenshot below:

Google submitted a patent application filing named Text Message Payment on Friday. The patent explains how “GPay” can be used to make payment via text messages. An example of how this works is in scenarios where you would pay for items in vending machines or at retailers. If rumors of the GPhone come true, then expect to see GPay as a default service for the GPhone. See the screenshot below:

The Economist (subscription required) has joined the ranks of those questioning Google’s antics, asking some of the same questions TechConsumer’s Tom asked in his article entitled, Is anyone else nervous about Google? The Economist compares Google to a bank: “Just as financial institutions grew to become repositories of people’s money, and thus guardians of private information about their finances, Google is now turning into a custodian of a far wider and more intimate range of information about individuals… [Google] will be the one to test the limits of what society can tolerate.”

                                                    
So the big news today comes in the form of a Microsoft press release explaining a strategic alliance of sorts between Microsoft and Ask. The two companies are “joined together in the commitment to call on the industry to develop global privacy principles for data collection, use and protection related to searching and online advertising. The companies will work with other technology leaders, consumer advocacy organizations and academics to come together and join them in working on the development of these principles, which could include developing and sharing best practices to provide more control for consumers.”

Google was the first to say that it will, in the future, keep personal information in its databases for only 18 months. But Microsoft appears to be pulling a one-up move by not only making its 18-month personal info deleting policy retroactive (unlike Google) but also organizing an industry-wide initiative: “We hope others in the industry will join us in developing and supporting principles that address these important issues. People should be able to search and surf online without having to navigate a complicated patchwork of privacy policies.”

Interestingly enough, sounds like the search giant Google (see traffic chart courtesy of the WSJ) is being invited to join a party hosted by Microsoft. Will these two forces join together for the good of the consumer? Not likely, though both companies face scrutiny over their pending billion dollar acquisitions (Microsoft: aQuantive for $6 billion; Google: DoubleClick for $3.1 billion). They may need to play nice in the sandbox if only to further their respective agendas of merging search and advertising like never before (which, incidentally, is probably not the best thing from a consumer perspective).

So Microsoft’s move is a nice preemptive strike to say, “hey, we can figure this out on our own.” But unless Google comes to the table, it won’t mean anything. And even then, privacy groups are still likely to want some outside involvement.

Let’s face it; we all reuse the same password for login accounts all over the Internet. At best, some of us create a few passwords through which we rotate. So why is it that some companies still insist on sending me my password via email right after I create my online account? The reason I have a password in the first place is so that it doesn’t flow back and forth openly in cyberspace only to reside peacefully on multiple mail servers.

This type of action, to me, is a sure sign of amateurs at work. In fact, it’s the lazy man approach for me to give (or take away) initial credibility to any company, startup or established: see how they handle the process of creating an online account.

Just the other week, a classic case of stupid reminded me of this. An affiliate program I signed up for wanted to make sure that my password was at least eight characters long and included both numbers and letters. It was then promptly sent out to my email. Wow. Thanks for making sure it was a good password!

My only workaround to this all-too-common problem is to sign up with any new service with a token I-don’t-care-if-you-know-my-password password only to change it to a real password after a) I receive that initial “thanks for signing up, here’s your account info” email and see that the password was not included and b) find that I am interested in using the service for longer than just my first time of messing around.