May 2010 Archives

Steve Lunceford has a great article on why government should have a their twitter accounts verified -- this is a no-brainer and an easy risk mitigation solution to avoid spamming.

Tripewire, Inc -- noted security firm and producer of many security products, filed for an IPO.  S-1 form can be found here:

Google offers a way to opt-out from Google Analytics!  This is kind of big; however, I am reserving accolades until the method for opting-out is studied.  Currently it is offered as a browser plug-in or add-on; which have been notorious sources of leaked information.

Social media Strategy

The information below originally appeared on; I am reposting here because I think it's a smart approach.  Just want to get the info out there, analysis to come a bit later after the Gov 2.0 expo wraps up today.


1.    Data Map
Most privacy incidents boil down to whether data practices diverge from regulatory requirements or stated privacy policies. To this end, adopting a social media strategy may introduce new data practices not already disclosed in your organization's privacy policy. To determine if your social media strategy is on solid privacy ground, create a data map detailing the demographics and geographical locations of your target social media users, what data fields you would collect, ideally, from and about them, which social media channels you would use to collect that data, how you would use that data, how you would secure it, and how long you would retain it. A good data map will not only identify the core privacy questions, it should also help the marketing department see in a granular way how to make the most effective use of the available data.

2.    Privacy Process Integration
Your organization most likely operates processes for personal data access requests, privacy-choice management, privacy-complaint handling, and personal data deletion. Indeed, the EU and Canadian documents on social network services revealed the importance those jurisdictions place on these user 'rights.' If your organization doesn't have these privacy processes defined, you would be well-served to do so. If they're already defined, your social media strategy will need to integrate with them. For example, if you harvest user data from your social network channels and store that data in a database separate from your other customer systems, you'll want to determine how you'll respond to requests of those users and customers to review copies of their data and to delete their data across both platforms.

3.    Site Monitoring and Response Plan
The EU listed among its top concerns with social networks the ability of users to post sensitive data about other people without their consent. Users can also post their own sensitive information, such as dates of birth and account numbers, that could be used for account fraud. The trouble for organizations implementing social media strategies is there is no easy way to prevent these incidents. What are operators of Facebook fan sites doing? Some appear to be manually monitoring their sites for inappropriate posts and complaints and applying a policy for determining which to respond to and how or which to simply delete.

Social media posts can also provide an early warning of customer-service issues. During a review of popular Twitter sites, for example, it became apparent that customers of a financial institution regularly tweet their annoyance at being put on hold by the call center. Privacy professionals tasked with developing the social media privacy gameplan can show additional value by incorporating customer service and antifraud processes.

4.    Privacy Policy Update
After you've completed the first three components, you'll be in a position to know if your existing privacy policy needs to be updated. One legitimate option is to create a privacy notice specific to your social media channels. Facebook fan sites, for example, include a default 'Info' tab that is tailorable for this purpose. Canada's report on Facebook showed the high importance the privacy commissioner places on detailed privacy disclosures. Surprisingly, however, in our review of popular fan sites, few posted privacy notices on their fan sites or detailed their social media data practices in their main privacy policies.

5.    Regulatory Compliance
EU regulators have determined that operators of commercial social network services are 'data controllers.' This is important because data controllers-compared to data processors-have more compliance responsibilities with regard to EU data-protection regulations. One of those responsibilities, for example, is to register with local data-protection authorities the existence of certain filing systems containing personal data. Depending upon how your social media strategy is implemented, if it involves European users, you may have additional compliance steps to take.

Social media networks have created new marketing opportunities and introduced new complexities into organizations' privacy policies and processes. Marketing departments deploying new media strategies have a new reason to get on the calendar of their privacy office.

De-anonymizing Social Networks

A paper by Arvind Narayanan and Vitaly Shmatikov of The University of Texas at Austin describes an algorithm that can re-identified social network users through previously anonymized data (i.e. data that is sent to advertisers). 

Operators of online social networks are increasingly sharing potentially sensitive information about users and their relationships with advertisers, application developers, and data-mining researchers. Privacy is typically protected by anonymization, i.e., removing names, addresses, etc. 

We present a framework for analyzing privacy and anonymity in social networks and develop a new re-identification algorithm targeting anonymized socialnetwork graphs. To demonstrate its effectiveness on realworld networks, we show that a third of the users who can be verified to have accounts on both Twitter, a popular microblogging service, and Flickr, an online photo-sharing site, can be re-identified in the anonymous Twitter graph with only a 12% error rate.

Our de-anonymization algorithm is based purely on the network topology, does not require creation of a large number of dummy "sybil" nodes, is robust to noise and all existing defenses, and works even when the overlap between the target network and the adversary's auxiliary information is small.

Paper can be found here:
Tim Reilly: The movement needs heroes. 

Eggers journey to success: good idea, implementable design, political will, good implementation & evaluation of results

Big initiatives face doubts and cultural issues.  Gov 2.0 brings those doubts out to the surface, bubbles them up to the surface.

Read the extended version for more on the speakers below:

Accepting the Mission for Greatness
Bill Eggers (Deloitte)

Apps for the Army Jeffrey A. Sorenson (U.S. Army)

Sunlight Foundation Contest Winners Clay Johnson (Sunlight Labs)

15-second Case Studies in Open Government Data Daniel O'Neil (EveryBlock)

Crisis Communication 2.0: Real-time Civilian Protection Zubin Wadia (CiviGuard, Inc.)

Vote on the Web: Transparency and Civic Engagement in Brazilian Politics André Blas (WebCitizen)

Graffiti Tracker: Utilizing Data to Fight Crime Timothy Kephart (Graffiti Tracker Inc.)

Opening the Courts - Using Technology to Empower the Unrepresented Kate Bladow (Pro Bono Net)

You've Been Scienced: Communicating Military Science and Technology with Social Media John Ohab (US Department of Defense, Public Web) Create short .gov URLs Michelle Chronister (U.S. General Services Administration)

Technology is a Prism Held Up to the Imagination: A Vision of Reality for Gov 2.0 Looking Forward Rita King (IBM Analytics Virtual Center)

Instituting a Culture of AWESOME in Government: The Case of the IED Task Force Tech Team Christopher Dufour (

If You Can't Control the Data, Consider the Message Elizabeth Losh (University of California, Irvine)

First Responder Communities of Practice Jose Vazquez (Department of Homeland Security)

PSU Geekery! contact me on twitter about Gov 2.0. 

Through Matthew's twitter page, I was VERY happy to find the Penn State University's IA Club

Awesome site, amazing work!

Gov 2.0 Expo: Live Blogging #3

Session: "Truly Open Data"

Clay Johnson (Sunlight Labs)

Gov 2.0 Expo: Live Blogging #2

Session Title, "Mission Possible: Putting Government Linked Open Data on the Web"
Sandro Hawke (W3C), John L. Sheridan (Information Policy and Services Directorate of the UK's National Archives)

Sandro kicked it off with a geeky Q&A that made me feel right at home...asking questions about knowledge base for the audience.  Who programs, who understands HTTP repsonse codes, who understands XML, JSON, etc.

Gov 2.0 Expo: Live Blogging #1

Session #1 -- "Introduction to Government Social Publishing with Drupal"

Kieran Lal (Acquia), Jason Hoekstra (Department of Education), Kirsten Burgard (Office of Information and Technology), Dennis Sutch (US Department of Commerce), Tim Wood (, Neil Sroka (

Gov 2.0 Expo

Starting today and lasting through Thursday, I will be at the Gov 2.0 Expo in Washington DC.

Make sure to check out the Booz Allen Hamilton booth at the Expo center to discuss Gov 2.0 privacy and security with myself and Karen Goertzel Wednesday and Thursday where my opinions will be those of my employer (ahem, full disclosure). 

Looking forward to some amazing presentations and would like to send thanks to Program Co-Chairs Laura Ruma and Dr. Mark Drapeau and others for the efforts organizing and setting up the first inaugural Gov 2.0 Expo.  For awesome pre-coverage and excitement building posts, check out Alex Howard.  If you're curious what Gov 2.0 Looks like, grab a crayon and follow the drawings of Mark Drapeau to help visualize what this is all about.

I will hopefully be live blogging a bit from the conference pending battery life of my laptop and I will posting on the PrivacyWonk twitter feed.

How-to save your facebook data

The social media giants have been under increased media scrutiny as the press has latched onto to real and alleged privacy violations.  Facebook has made the cover of the May 31st edition of Time magazine.  Reports today are that facebook, myspace, and others have been sending detailed user information (information that reveals identity) to advertisers.  Lastly, a national quit day for facebook has been organized as a protest to the recent changes to facebook including instant personalization and the universal like button.  The quit day has been gathering steam and press but those who have committed to quitting, only 12,041, represent 0.0000301025% of the 400M users

If you are planning to quit but concerned about losing all of that precious data such as friends contact information and birthdays fear not!

E-mail Addresses

There are many applications out there that will scrape your profile, these are illegal (against the Terms of Service) and may well get your account locked out before you can actually begin the deactivation & deletion process.  However, there is an alternative that is within Facebook's terms of service and offered specifically to extract contacts from your facebook account.  Yahoo! e-mail service can export your Facebook friend's contact information.  Simply sign up for a Yahoo! e-mail account and then navigate to the contact import landing page: and click the facebook icon.  Your contacts will be imported automagically!  To extract your data from Yahoo! services, click on the Tools drop down menu item and then "Export."  Chose an appropriate export format and save the file to your PC.  Note that in your Applications setting page, Yahoo contact importer is now listed.  Your friends privacy permissions will dictate how many email addresses are exported.


Birthday's are pretty much just as easy to extract from facebook.  There is a popular application called Birthday Exporter.  A simple and straight forward application.  Once you allow the application access to your information, it generates an iCal file which can be used in Outlook, Gmail, Apple iCal, etc.  The file contains the facebook Unique ID (UID) of your friend, a title that includes their name (e.g. "Joe Doe's Birthday"), a URL to their facebook profile, and their date of birth.  Your friends privacy permissions will dictate how many birthdays are exported.

Caveat: I acknowledge that advising someone to install a facebook application that gives that app's owners access to all of their data before they delete their account is somewhat contradictory. 

So now you have your friend's e-mail addresses and birthdays.  Mash them all together in Outlook, iCal, or a web-based service like Yahoo or Gmail.    You control the data now.

PS: Don't forget to delete the applications from your app list if you end up staying on facebook.

Reclaim Privacy -- Facebook edition

Matt Pizzimenti, a coder and geek extraordinaire, has developed and launched Reclaim Privacy. The tool is very simple, you drag a bookmark which points to a javascript file hosted on Pizzimenti's site.  Simply log into facebook and click on the new bookmark.  This will launch Pizzimenti's code and scan through your privacy settings revealing settings that may accidentally leak information out to the world.

The script is still in early development.  Here are a list of known issues as of today, May 18, 2010:
  • blocked apps are not detected properly
  • does not scan Photo privacy yet
  • does not scan Wall Post privacy yet
  • the scanner for the dropdown settings is wonky sometimes in Firefox
  • "Re-scan" buttons don't work (need to click the bookmarklet instead)
  • Internet Explorer and Opera are not tested (only Safari 4 and FF3 have been tested)

If you code in javascript or python, check out Pizzimenti's source repository on Github, and help contribute!

Now, sadly, Facebook will get wind of this application and most likely block it or send Pizzimenti a cease and desist order as it violates their Terms of Service, just like they did for the Web 2.0 Suicide Machine.  It looks like ReclaimPrivacy started gaining traction about 18 hours ago according to Twitter trending (which, you know, is a solid source of information).  I will be following the tool's progress against the bugs above.

If facebook would like to take a step forward in privacy and user-trust, they should would offer to buy the script and integrate directly into their system, allowing users a quick and easy way to visualize their privacy posture and make changes. 

Big thanks and much respect to Matt Pizzimenti for developing this application.  It's a fantastic tool!

Privacy Is Not Dead.

There has been a growing trend of technologists, technocrats, and tech-focused writers decrying privacy as dead in the name of progress and money.  This sentiment has grown as social media and network companies have grown ridiculously profitable for their ability to generate, mine, and sell advertising data.  A great example of the  anti-privacy movement:

"The lesson here is striking: Control matters. Privacy doesn't. And as long as we're secure in the knowledge that whatever cool, new Web toy can be turned off, we're fine letting the world peer deeper and deeper into our lives." ~Farhad Manjoo, May 1, 2010, FastCompany 

Farhad makes the false assumption that privacy and control are separate and that privacy is largely an illusion.   Control is not distinct from privacy; rather it is at the very heart and nature of privacy.  In contrast to Farhad's view that privacy is an illusion, it is actually control which does not exist.  Very few of our new Web toys can truly be turned off.  Closing an account doesn't mean your data gets deleted, it means you simply no longer have access to the data you shared.  I am fine sharing things with friends, I am not okay with companies like Yelp having total access to information.

Nailed it...

Printer/Copier Security & Privacy

CBS News ran a nice investigative piece on copier security recently.  

Take aways: Copiers have hard drives that can hold a copy of every image printed, copied, faxed, scanned or e-mailed.  Think of the documents you process through those machines in your office.

The CBS piece found Law Enforcement sensitive information and Protected Health Information on randomly purchased printer/copier machines.  Are copiers a part of your organizations security program? Do you know how to safely clean those hard drives by degaussing or secure over writing?  Does your leasing contract stipulate data security standards?

"A democracy requires accountability, and accountability requires transparency. As Justice Louis Brandeis wrote, 'sunlight is said to be the best of disinfectants.'" ~President Obama, Freedom of Information Act memorandum.

Introduced today by Senator Jon Tester the Public Online Information Act is a piece of legislation driven by the Sunlight Foundation whose detailed agenda advocates for, "Public oversight, civic participation and electoral engagement--the stuff of democratic accountability--all depend on a transparent, open government."  In March, Representative Steve Israel introduced companion legislation (H.R. 4858) into the House of Representatives.
I'm a little late to the game with this piece of legislation but here's a quick review and round-up of other reviews.

The release of Boucher's privacy bill generated exactly what was intended -- a lot of discussion.  The "for discussion draft" version Congressman Rick Boucher (D-VA) and Congressman Cliff Stearns (R-FL) released on Tuesday, May 4th, 2010 can be found here long with a press release and executive summary.

The bill represents a world of change that has rubbed a lot of industry and lobby groups the wrong way.  The bill targets both the online and offline worlds mandating clearer privacy notices when collecting personal information.  The bill establishes new definitions of personal and sensitive information, some of which seem to be borrowed from HIPAA including:

  • Covered Entity -- a person engaged in interstate commerce that collects data containing covered information.
  • Covered Information -- Information including name, telephone, address, email, biometrics, SSN or other government-issued ID number, financial account information, any unique persistent identifiers such as a customer number, unique pseudonym/alias or IP address.
  • Sensitive Information -- Information associated with Covered Information relating to medical records, race/ethnicity, religious beliefs, sexual orientation, financial records, precise geographic location information.

Continue reading for more in-depth analysis...