Monday, 29 July 2013

Have you read your own privacy policy?

I recently came across Aetna's privacy policy and found this curious paragraph:

Please note that your e-mail, like most, if not all, non-encrypted Internet e-mail communications, may be accessed and viewed by other Internet users, without your knowledge and permission, while in transit to us. For that reason, to protect your privacy, please do not use e-mail to communicate information to us that you consider confidential. If you wish, you may contact us instead by telephone at the numbers provided at various locations on our sites or, in the case of our health plan members, at the Member Services toll-free number that appears on your ID card.

The part in bold is the interesting part. It's a pretty basic "contact us with details provided on your health card" statement, but the request in itself is not what got my attention.

In fact, the whole privacy policy itself is fine at least from a non-lawyer perspective. It was written to protect Aetna's assets and is there to provide you with your rights and responsibilities should you have questions about how data is being gathered.

Why am I writing about this then? Let's search Google for the last part of that bold statement as we'll find a lot of sites using this statement. I am fairly certain that the original is the one from Aetna above. All in all, we have over 12,000 results with that particular statement with the privacy policy being tweaked to whatever the author desires. This originally stemmed from a conversation on Full Disclosure.

We have emergency locksmiths, Taiwanese electronics companies, CNC instructors, Indian schools, insurance brokers, and even a law office all using this generic statement.

So who owns this particular policy and why are people seemingly copying it and then just making slight changes? Based on the context, I would gather that this is Aetna's privacy policy but is it really theirs? I have no proof but being that they're a health insurance provider, it would make sense for them to refer to this ID card.

My guess for everyone else is that with exception to the law office, the reason for having done so is a lack of readily available lawyers and the desire to have a boilerplate document for anyone to read. I can at least tell you for one that this marketing firm lifted theirs from Aetna as the name still appears in it.

I'd imagine that there is copyright violation here too, but again I am not a lawyer so I cannot say this is for certain.

It might be time for these site owners to review their privacy policy.

Thursday, 25 July 2013

Do not filter my Internet

I don't care about your opinion on pornography as it is irrelevant to what I am about to say: we do not need to have "opt-out" options for what content we want to see on the Internet.

Winnipeg MP, Joy Smith has suggested that we follow in the lead of the United Kingdom in making it that if you want to have access to pornography, you must opt-out of the filter that is on by default. What Smith is proposing is having a list of people who look at pornography.

If you think that the opt-out idea is a good one, read ahead and think about this.

Here's a quote from her via the CBC:

"We’re talking about protecting children. We’re not talking about adults. Adults can log onto their ISP computers, check on the box and turn off the filter," she said.

And then her interview with CTV:

"Child exploitation, human trafficking is a worldwide issue," Smith told CTV's Canada AM. "The Internet is being used to harm children and I think this is just a common sense approach, another tool that parents can have to protect their children."


"It doesn't censor an adult at all, because all the adult has to do in his home or her home is walk over to their computer, log on and check a little box that shuts the filter down. But it does protect the children," she said.

We see a common theme here: "children". What is Smith going on about here? Are children actively searching for pornography or is she concerned that not having a porn filter will lead to these children being exploited? If the former, then parents need to be involved in how their kids use the Internet and if it is the latter, then we already have legislation to deal with that problem. Does Smith understand what she is talking about or is she instead trying to make a name for herself? I'd argue it is the latter and to be honest, she doesn't come off as very intelligent in the process.

This isn't the first time that legislation centred around the Internet has been turned into a crusade to protect the children from the party Smith's in. Last year, former Public Safety Minister, Vic Toews tried to force legislation through that would allow for police to monitor Internet activity without a warrant. During the uproar over it, Toews in his infinite wisdom accused those who were against the bill that they were either going to be with the Tories or with the child pornographers. He later took a step back and the bill had failed to pass.

What is the fascination with the Tories and drafting Internet legislation that is archaic?

Now back to the content here: pornography. If we permitted this opt-out feature, what is to then require us to opt-out of filters that prevent us from viewing sites belonging to governments or non-profits that the sitting government of the day doesn't like? How would you like to have all of your Internet activity monitor to ensure that you meet the requirements of the government? You may not like the David Suzuki Foundation (the Tories certainly do not), but perhaps your neighbour does and is a regular donor? What if you're actively involved with a group like the Fraser Institute and say a left-leaning government is in power? What if you decide to apply for a job at the city and based on your browsing behaviour they determine that your political ideals do not match theirs and as a result you're not hireable?

Or let's go a step further: what if you're a citizen of Iran and want to renew your passport? The sitting government right now doesn't have much love for the Iranian government so would you like to end up on some watchlist because of your browsing behaviour on Iranian websites?

Going back to protecting children briefly, what are we trying to do with such legislation? If we're trying to prevent child pornography for example, then this law isn't going to do squat. You are unlikely to go on a public search engine, punch in specific key words, and find child porn on a website that is reachable via normal means. I won't go into technical detail, but there are underground networks that exist within the Internet that do not get crawled by the services you and I use daily. The vile behaviour of these people who collect and share the exploited images are not going to easily show up on Google Image Search.

If you're honestly afraid of your kids being exploited, then monitor their Internet activity like a responsible parent should do. It should also be noted that the vast majority of child exploitation is done by someone already close to the child. It is nowhere near as common for random strangers to be exploiting children at random.

It isn't a matter of what party is in power either. It's a matter of what is right: privacy. You may have nothing to hide you might say, but it isn't in your best interests to rail against those who do value it. It is not a crime to be private about your daily affairs and it should never be. My browsing behaviour is none of your business and likewise yours is none of mine.

If you support having porn filters on the Internet, then install one at home if you're fearful of what might come in. However, don't help vote in laws that would disgust those who died trying to keep the freedoms that you and I still have today.

Monday, 8 July 2013

Docker... why are you doing things this way?

So Docker went and posted this on their website providing instructions on how to install their desktop software:

root@host:~# curl | sh

What does the script do besides running blindly as root? Well if we take a look at their git repository, we can find this file and see inside:

# Add an user called docker and set its password as docker
RUN useradd -m -d /home/docker -p aaOLN9pfuDGV. docker
RUN sed -Ei 's/adm:x:4:/docker:x:4:docker/' /etc/group


Since Docker doesn't provide an easy method for me to contact them, I've opened a case on this matter in their Github and I guess will wait and see what the response will be.