Privacy (revisited)

Yesterday I tweeted ""I'm more than a bit worried about this #rainmaker thing. it requires others giving my email address to them without my agreement. #donotlike" in response to my receiving a few 'can we connect' requests on different services which all had "found via rainmaker" on them and going to see what it was all about.

Late last night I received an email from Joshua Deixler (signed Co-Founder CloudCenter, LLC joshua.deixler@CloudCenterLLC.com) telling me that "We take privacy very seriously. I would really like to understand your concerns about providing email address. I am not sure how rainmaker facilities (sic) providing your email address to other people? We use email address askey to find data on facebook, LinkedIn and other social networks." and requesting me to comment further. I copy my response below.

—————

Thanks for contacting me. The issue isn't one specific to your rainmaker service per se but goes to the issues over the privacy expectations and effective data mining which such services promote. I note, for example, that you sent this mail cc'd to "Alison Mary Wheeler, MBA" <business email address>; "Alison Mary Wheeler, MBA" <a personal email address>; "Alison Mary Wheeler, MBA" <another email address>

Three different addresses, all undeniably mine *in this instance* but only two of which (the first two) are 'public' in that I make them available to others in that sense to write to me. The third one there is a list-only alias used for tracking on selected services only. And there lies the rub. You have associated these three to me with, I might add, an incorrect description (in that none of them are actually made available under the nomenclature of "Alison Mary Wheeler, MBA") and which links my business address and my main personal address where, if I was someone with something to hide, I might be extremely upset about.

That you have offered a service making use of such data matching is, as I noted, not something that is especially unusual. What is annoying to me — and many others I have spoken with who have raised the issue with me after seeing my tweet yesterday — is that such services encourage actions *by others* to distribute someone else's email addresses without their explicit (or, indeed, implicit) agreement, and publicise the data so mined.

I have already decided — as I have done with other similar services in the past — that I will not encourage people to use them by not accepting any such requests that come through such services, and I know that there are others who have made a similar decision. Part of the reasoning for this is that most people try to keep certain email addresses "clean" in terms of the likelihood of spam, and such data mining is prone to breaking down that separation. I know that the last time I turned off my filters and blacklists I was receiving upwards of 15,000 unwanted emails per day. Even now there are sill a hundred or two each day which reach an endpoint.

I don't wish to see anything which encourages or publicises my non-public email addresses therefore, and your service does.

—————

The email address has become the apparent ubiquitous way to identify someone, despite the fact that an address may change quite often and, in many cases, could then be re-used by someone else entirely unconnected with the previous user. Email addresses get used as keys into systems (OpenID, WebID, Facebook, etc.) despite their total lack of security or ongoing verification. The promotion of 'helping' people to connect the dots between different addresses therefore is both dangerous (in terms of possibly linking email addresses of people who are't actually the same person) and dangerous in reducing the effectiveness to zero of what steps people may have taken to control the use of specific email 'identities' to specific services and functions.

At root this is a matter of education of end-users; that they shouldn't go around offering up their address books to online services (rainmaker — and others — ask for access to your google address book) just as they wouldn't take their hand-written address book at home and paste it to the walls of the nearest bus shelter. Do unto others as you'd have others do unto you.

Deep Packet Inspection

Just to be clear, I'm writing here about the abomination that is the idea behind Phorm; that getting internet service providers to inspect — illegally and without the informed consent of their customers or the owners of the websites they visit — just about all that they do online not so that they can improve their services but because they want to add advertisements. Indeed they would have the ability to replace the advertisement that a website owner has on their site — something like the Amazon or Google ad bars which are on this page and can help finance its operations — with their own marketing, thus reducing the income of the sites concerned and, possibly, even forcing them to close through reduced income! Then there is the privacy issue. I look at a wide range of websites every day. Some are 'innocent', such as the Guardian's or BBC's news pages, MLB's tv service, Yahoo!'s tech developer pages. But there are also ones not quite so 'innocent' to some eyes. As the musical Avenue Q song has it, "The Internet Is for Porn" and, in that respect, I'm no different to nearly everyone else. But what one person likes to look at or read (food porn! tech catalogues!) should be their own private affair as I see it, unless such activity is criminally illegal anyway. And why should the fact that I visit particular websites mean I'm interested in related products anyway? I am forever viewing websites I have little no no interest in the content of, but I'm their to see how they solved (or failed to solve!) a particular interface issue, or at their design features, etc. Things that related to a professional interest. I'm not going to request an 'opt-out' from Phorm for the many sites I am responsible for personally or professionally as that would (a) condone their activities, and (b) still be traceable on a per-user basis (illogically to opt out requires a user cookie on every machine!) but I will be adding the following text to the Privacy pages on all sites: "PHORM PROHIBITED The contents of this site, and communications between this site and its users, are protected by database right, copyright, confidentiality and the right not to be intercepted as conferred by section 1(3) of the Regulation of Investigatory Powers Act 2000. The use of those contents and communications by Internet Service Providers or others to profile or classify users of this site for advertising or other purposes is hereby expressly and strictly forbidden. Liability for each separate and individual Interception will be retained by any and all ISPs who implement a deep packet interception system such as Phorm, or any system with similar workings as Phorm."