Yesterday we popped back into the behemoth mall that is Bluewater and as a follow up to my post about Carphone Warehouse thought I might just have another quick look see.  Sure enough there on the display stand was a fairly shiny Samsung Galaxy II logged into someone’s Google account with all their stuff on full show.

Obviously I wiped the phone just to be sure, but this time I’ve emailed the person asking for confirmation as to how their email account ended up on that phone on full display; they may or may not answer.  We will see.

On a plus note the rather nice HTC Titan (?) running Windows Phone 7 comes complete in demo mode with dummy email account, calendar entries, music – in fact the whole shooting match so well done HTC/Microsoft for thinking ahead.

Attention can certainly be used to pay for services, and the value can be readily quantified by comparing the cost of free ad-supported services with their ad-free alternatives. However the value of attention is unique to the individual, and also the context in which it is applied.

But still something about this article just doesn’t sit well with me. I suspect it’s the thought that the nature of currency doesn’t or hasn’t changed and that for something “new” to be considered a currency it must adhere to the old rules, the old definitions.

The notion that a currency must be fungible just doesn’t feel correct.  Indeed a quick hunt around the interwebs shows this question of a need for mutual substitution has been discussed at length many many times but that views are certainly still divided. This article by Venessa Miemis is as good a set of arguments as I’ve read so far.

What is apparent is that Dawson’s characteristics of currency don’t follow the accepted definitions of currency which seem to allow for interpretation as to what constitutes a medium of exchange.  Looking solely at that aspect a great many things have been used over the millennia as tokens of exchange and to the best of my knowledge not all goats are made equal – goats are not fungible.

I do agree with Dawson that to talk about things like reputation as a currency may not be useful, at least when discussing this in traditional terms, however it is clear to me that whilst in it’s infancy reputation, attention (and to a lesser degree influence) are indeed future financial instruments.

At the weekend I happened to be in Carphone Warehouse’s big open store at Bluewater for one such time wasting fondle session and happened upon a wall full of working phones ripe for a quick look see.  It is all too rare to find phone shops with a happy attitude towards breaking boxes and sticking real working phones out there for customers to try, sadly reverting to the stock compressed cardboard or hollow shell imitations. So given such choice it the  HTC Sensation was an obvious place to start, it is basically an updated version of my current Desire HD so a comparison seemed fair.

What didn’t seem right was that when the screen came to life it was showing someone’s Facebook wall.  Odd but not it’s not unheard of for a fellow fiddler to have used an instore demo device to have a sneaky poke and forget to log out.

I did the decent thing and left a “you muppet” type post on his wall and logged the phone out.  But when the homescreen came up it was obvious something far more worrisome was going on. 

The homescreen wasn’t a stock HTC Rosie layout with loads of widgets and apps being moved, there were update and email notifications in the status bar, their were matched contacts awaiting approval.

A quick and very discreet look around pointed to this phone having actually been setup from new by someone. Not setup as in just having a play in a shop, but setup by someone sitting around with enough time on their hands to get the phone how they wanted it.  This was obviously a customer returns phone that had been stuck back on display with no thought.

There were of course a number of things I could do. I could have notified one of the half a dozen bored looking staff chatting to each other in the middle of the store whilst customers stood around idle; but honestly if those same staff couldn’t have been bothered to check a returns phone what hope was there now.  I could have had a proper play with his “Scott’s” accounts or even hijacked a few of them. I didn’t, I took the kinder option and hit the magic half a dozen keys strokes to wipe the SD care and factory reset the phone.

The point of this is our smartphones contain a wealth of personal information from our intimate sharings with loved ones through to our TV preferences through to the keys to our email and bank accounts.   It’s all too easy nowadays to pick up a new phone, log into the cloud and for the handset to be automagically populated with our stuff.  BUT retailers have a duty of care when handling those devices, whether it’s for repair or return in ensuring that personal information goes no further.

What appears to have happened here is akin to giving your plumber with house keys to fix a leaky tap and them walking away leaving the front door wide open.

It’s not acceptable.

Anyone from Carphone Warehouse around because I’d love to hear your thoughts?

I thought it worthwhile commenting on the Darent Valley Hospital’s outpatient self-service check in process where you will be greeted not by the (still in attendance) bored looking receptionists but rather one of these natty embedded Windows terminals in one of eight languages (presumably tailored to locale) linked through to the appointment booking system.

Nothing particularly remarkable about that but I was a little perturbed by the terminal’s insistance that I should answer both personal and demographic questions as part of the check in.  What had the demographics to do with anything?  Certainly none of the questions I saw (I went back later and quickly ran dummy personal data through for a look see) had any relevence to my visit.

I say insist as by refusing to accept the “disclaimer” (right) I was booted straight back to the entry screen with no further path; i.e. unless you hand over the information you could not check in.  Quite how this fits with the NHS’s long held “free to the point of delivery” stand if I am being directed to trade personal information in return for seeing a doctor or consultant I am unsure.

Needless to say when I asked the bored receptionists if there was a way of checking in without answering they offered to do it manually but did say they would probably ask me the same questions.  I made my point that I would therefore probably just not answer those bits.

Maybe that’s why I had to wait an hour for 90 seconds of appointment.

In it, Reding sets out the EU Charter of Fundamental Rights and how this pertains to personal data, being built upon four pillars;

1. The right to be forgotten,
2. Transparency,
3. Privacy by default,
4. Protection regardless of data location.

I won’t go over each, aside from being faily self explanatory the full text can be viewed here.

Given my last post on the whole cookies issue it is the fourth tenet I will quote;

It means that homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed. They should apply whatever the geographical location of the service provider and whatever technical means used to provide the service. There should be no exceptions for third countries’ service providers controlling our citizens’ data. Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.

For example, a US-based social network company that has millions of active users in Europe needs to comply with EU rules. To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers.

Other than some local concern over the ICO’s willingness to pursue US based organisations enough said methinks.

Afterthought: Of  course there are full on discussions in the US today over the “do not track” issue which is very very closely aligned.  Surely a transatlantic push back on abuse of privacy must get the message across.

I consciously decided to not post on last weeks “suprise news” that after several years of consultatation the EU has gone ahead and published it’s directive on browser cookies.

Firstly there are plenty of great bits of analysis written by those far more eloquent than me.  Secondly I really don’t care that much about the guts of the directive, that’s not to say I am not for what it is trying to achieve – consumer protection is a good thing, rather that I have long voiced concerns over the approach and think there are better approaches available. Thirdly as I firmly believe ALL businesses operating in or with the EEA and using/sourcing personal data online should have long been aware of the likely impact.

But apparently companies weren’t aware and the online bitching and scaremongering raged for a good day or two until the usual ADHD crowd had their attention grabbed either by SXSW or the far more important happenings in Japan.

What did suprise, but probably shouldn’t have, me was the number of high profile tech journalists and data centric online businesses that chose to use their platforms to complain long after the stable doors had been bolted.

Thinking of Jumping Ship?

Of all those comments one of the most poignient for me came from an old school pal Nick Halstead over at Tweetmeme / Datasift; companies which are both built and are relient upon personal data.  In a widely picked up Tweet Nick said,

“This is the sort of crap that makes me want to move business to the US.”

It was a genuine reaction to a perceived threat to his business albeit, I suspect, one based more on emotion than rational dissection of the facts.  And why not?  After all from an uninformed standpoint the directive summaries certainly do seem to be potentially unworkable (more from a Usability Experience perspective than a technical one) and seemingly restrictive of current business practises.

The thing is the reaction of moving to the US really isn’t going to help anything.  Back in July 1999 the Belgian courts set precident in a ruling against Yahoo! for refusing to hand over user data to Belgian law enforcement authorities under Belgian law.  The court found that by making it’s services available to Belgian residents (combined with what it believed to be the use of Mail in connection with criminal purposes within Belgium) was sufficient to find that Yahoo! Inc. has a commercial presence in Belgium. Therefore, Yahoo! was subject to Belgian laws.

The obvious outcome being that no matter where you base your business, no matter where you claim to have jurisdictation based in your Terms & Conditions the Belgian authorities have a higher level of claim.

Today in the European Parliament during the review of the EU Data Protection Framework, Commissioner Reding took things a step further in stating that EU DP rules shall apply

“whatever the jurisdiction of the service provider”

and that,

“US based social network service companies need to comply with EU DP rules.”

So to Nick’s subsequent Tweet

“you think the EU will try and make it apply globally? not a chance”

the response was and still is, the EU don’t need to apply it gloabally but if you want to trade in/with the EU hell yes. Basically the Belgian ruling has been given legs and in essence if you make your services available to EU residents you need to comply.  Moving a company to the US makes not a jot of difference, the EU will prosecute empower member states to prosecute for breach.

The only escape will be to give up on EU business, and let’s be honest no one is going to do that now are they?

After a number of promises to the ICO, Internet Eyes finally broke in to the market in 2010 and only a week or so back the Eastern Daily Press heralded the installation in to what were probably the highest profile client sites so far; 3 Budgens stores in Norfolk, UK.

Today the ever vigilant Big Brother Watch has reported that after receiving a number of complaints from his regular customers Budgens owner Jinx Hundal has pulled the service saying,

“The last thing I wanted to do was upset my customers. I have spoken to customers via our customer forum and there have been concerns raised, with customers saying they were uneasy about being viewed by members of the public. I made a mistake and I am genuinely sorry for that.”

As BBW point out, the negative consumer reaction is a powerful one and something few owners would wish for their businesses.  Rather obviously Internet Eyes have spent plenty of time pointing out how much industry loses out to theft as justification for their solution but nothing is said on the cost of losing those customers who just don’t want random strangers watching their every shopping move.

A small #win hopefully on the route to a much larger one.

I haven’t had time to read the whole thing yet but the World Economic Forum can be found over here.

Personal data is becoming a new economic “asset class”, a valuable resource for the 21st century that will touch all aspects of society. This report finds that, to unlock the full potential of personal data, a balanced ecosystem with increased trust between individuals, government and the private sector is necessary.

A superb piece of data visualisation over at at Ball State University’s Center for Media Design looking at the rather curious privacy decisions made by their college students when sharing certain types of information.

“What do you consider personal information?” This is how we began our ideation sessions with college students.  This seemingly simple question generated much discussion, elements of which are captured in the graphic (above), the first of our research outputs (see part 2 as well).

On the face of it they are two fairly disconnected stories; one a company wanting the right to retain control over what they consider their private information, the other a company wanting you to control and share more of your private information with others.

Both stories are linked though by one of the oldest cornerstones in protecting privacy – the individual’s rights and abilities to control information about themselves.  In 2002 The Privacy Commissioner of Canada gave a definition of privacy as being;

“…the right to control access to one’s person and information about one’s self. The right to privacy means that individuals get to decide what and how much information to give up, to whom it is given, and for what uses.”

So grounded is this notion of individual’s control that it is enshrined in much of the Western societies legislation and has laid the groundworks for not only much debate but also technologies for helping people retain control over their own information; the most obvious of which is Vendor Relationship Management stemming from work by Doc Searls post his co-authored seminal work The Cluetrain Manifesto.

Indeed I and a great many other privacy wonks have always believed to some degree the thinking that by affording the individual control (which of course requires greater transparency of data, technologies and education) that privacy was doable, it was an achievable goal to the point where people no longer felt abused by third parties taking advantage.

This despite i) acknowledging our own interests in the field meant we were far better equiped to manage our own data and ii) there being a great raft of academic work posturing that user control was actual an instrument of deceipt and therefore self destructive.

Indeed only yesterday Anna Maria Virzi ran a piece over on ClickZ (a marketing news website) on Consumer Privacy.  In it reports on Microsoft’s VP of Advertiser & Publisher Solutions Rik van der Kooi’s talk during the IAB‘s Annual Leadership meeting on Monday.  In the talk van der Kooi said,

“Data gets bartered, traded, corralled, bought, sold and used in a myriad of different ways without one central actor being part of the conversation – and that is the user,”

“…businesses stand to benefit if they empower consumers – and let them know what information is collected about their website activities and how it’s being sold or exchanged. By doing this, businesses could earn a consumer’s trust – and a consumer might decide to share even more information with a brand.”

It is the last part that cements the control aspect.

BUT…

Last week my admitedly rose tinted and optimistic outlook on the prospects of this approach to privacy was knocked a little sideways at The Future of Consumer Protection forum in Thun, Switzerland – and I do so love having my thinking challenged and even changed.

Presented was a summary of research undertaken recently at the Carnegie Mellon CyLab by Alessandro Acquisti, Laura Brandimarte & George Lowenstein.  Entitled ‘Privacy and the Illusion of Control‘ it sought to;

“Test the hypothesis that control over publication of private information may influence individuals’ privacy concerns and affect their propensity to disclose sensitive information even when the objective risks associated with such disclosures do not change or worsen.”

“Outcomes: Our findings suggest, paradoxically, that more control over the publication of their private information decreases individuals’ privacy concerns and increases their willingness to publish sensitive information, even when the probability that strangers will access and use that information stays the same or, in fact, increases. On the other hand, less control over the publication of personal information increases individuals’ privacy concerns and decreases their willingness to publish sensitive information. Our findings have behavioral and policy implications: they highlight how technologies that make individuals feel more in control over the publication of personal information may have the unintended consequence of eliciting disclosure of more sensitive information.”

So the more control people are given the more risks they are willing to take exposing personal information.  Hardly an endorsement for user control being THE route to ensuring privacy and certainly cause for concern with developments in the ongoing Facebook race for personal information exposure.

Some brief talks with Acquisti did highlight that user control is important but,

1. people are just not ready to assume the levels of individual control being touted,
2. other techniques such as reducing the types / quantity of information available for control might afford greater privacy in the short term, and
3. that there is still a great deal more research and thinking to be done.

For me the research helped answer that strange niggle I have held, especially with VRM in its most militant guises, over expecting the user to assume full control and affirms my well discussed thinking on Facebook’s constant push forward; it’s a good thing because it raises awareness and if anything actually forces people to change their behaviour.  It’s a nudge in the right direction.