RE: [projectvrm] Citizenme - New personal data vendor hits market

["StJohn Deakins" < >]

Hi Rob,

Good to meet you and thanks very much for the feedback – greatly appreciated!

 

The current site started out as pre-launch ‘leave your e-mail if interested’ page and has morphed considerably. We’ll launch a redesigned site in a few weeks and these points are a great reminder.  We currently collect email (opt-in only) and IP address (we host Piwik stats on our own server) and obviously don’t allow 3^rd party cookies. The new site will need  EV cert, TLS and HTTPS by default (although we may have an interesting dilemma with the server configuration of our current ‘ethical’ hosting provider, Greennet, that we’ll need to look into further).

 

As for mailchimp, they’re a really handy way to manage email lists, are TRUSTe certified and have decent ToS (we clearly need to switch over to HTPPS though).  Is there another alternative that you’d recommend for efficiently managing thousands of e-mail sign ups in a consumer friendly manner (bearing in mind that we’re a small start-up with limited resource)?

 

Once again, thanks for your feedback. I’ve cc:ed in Morten Jensen, our CTO, for reference.

 

Cheers

 

StJohn

 

P.S. which ToS would you nominate for inclusion out of interest? :-)

 

 

citizenme

StJohn Deakins

email: ">   mobile: +44 7500 802020

skype: stjohndeakins  twitter: @stjohndeakins / @ctznme

 

From: T.Rob [mailto: ]
Sent: 30 July 2014 03:11
To: 'StJohn Deakins'; 'ProjectVRM list'
Cc: 'Nathan Schor'
Subject: RE: [projectvrm] Citizenme - New personal data vendor hits market

 

> in a few weeks we’ll have a new web site up which will also display the ‘worst’ terms of service

Oh, I've got some great nominees.  J

 

It is a bit odd however that CitizenMe doesn't use TLS.  Admittedly submitting an email address isn't much of an exposure.  But since the web site is completely unencrypted, one expects the app probably is too because once you have the certificate for the app using it on the web site is free. (Assuming you bought a wildcard cert, that is.)  It would not make sense to go to all the trouble to encrypt the app's network traffic and not the web site, especially if one wishes the world to believe you are a trustworthy custodian of our data. 

 

With apologies to Monty Python, if I were creating a VRM web site I wouldn't mess about with TOS and Flash. I would have started with EV certificates, eight o'clock, Day One!  In fact, that's exactly what I did at https://t-rob.net and https://ioptconsulting.com which both run over TLS, even if you attempt to access them in plaintext.  And these are just blogs for which the only registration is to comment, and that's on only one of them. 

 

Contrast this with CitizenMe which runs only in plaintext and if you attempt to access it using TLS you get back a certificate for *.gn.apc.org and a browser error.

 

Of course, it's not really "just" an email address since under "Preferences" the site collects First & Last Name, "SOCIAL_ID", and "REFERRED_BY".  These are managed by Mail Chimp and you *can* actually force it to use TLS to render the form, but even then it submits the form in plaintext.  Again, not terribly intrusive but surprising nonetheless that anyone in this space treats encryption of network traffic as optional, engages a 3^rd party to collect user data and allows them to do so in plaintext, or in this case both.  The whole point of VRM is that some vendor doesn't get to decide which of my data I consider valuable and worth protecting.  The fields requested are the bare minimum to describe nodes and vectors in a social graph, after all. 

 

As far as I'm concerned, VRM isn't about where you draw the line between public and private.  It's about not having a line.  ALL traffic is encrypted ALL the time.  Otherwise any "choice" a user has about what they reveal is symbolic at best and, to the extent the service inspires misplaced confidence, potentially harmful at worst.

 

All IMHO, of course.  Feel free to take this with a grain of (cryptographic) salt.

 

Kind regards,

-- T.Rob

 

T.Robert Wyatt, Managing partner

IoPT Consulting, LLC

+1 704-443-TROB

https://ioptconsulting.com

https://twitter.com/tdotrob

 

From: StJohn Deakins [ ">mailto: ]
Sent: Monday, July 28, 2014 18:34 PM
To: 'Nathan Schor'; 'ProjectVRM list'
Subject: RE: [projectvrm] Citizenme - New personal data vendor hits market

 

Thanks Nathan, in a few weeks we’ll have a new web site up which will also display the ‘worst’ terms of service, as voted by citizens (users of the app).  So far we have around 1,000 citizen votes saying that one particular sites Terms of Service are ‘unreasonable’. Let me know if you’d like more information.

Cheers

StJ

 

 

citizenme

StJohn Deakins

email: ">   mobile: +44 7500 802020

skype: stjohndeakins  twitter: @stjohndeakins / @ctznme

 

From: Nathan Schor [ ">mailto: ]
Sent: 28 July 2014 22:54
To: ProjectVRM list
Subject: [projectvrm] Citizenme - New personal data vendor hits market

 

CitizenMe - App That Lets You Spy on Yourself and Sell Your Own Data  http://www.wired.com/2014/07/citizenme/

From the Wired article:

The long-term plan is to provide a way for you to sell your own online data directly to advertisers and others of your choosing.

You start by connecting your social profiles to the app, which stores your data locally on your phone. Nothing is stored on Citizenme’s servers. So far, the app handles Facebook, LinkedIn and Twitter, but other services, such as Pinterest, are planned for the future.

Includes this feature in an interesting way to address the TOS issue often discussed here:

“when a company updates its terms of service, Citizenme alerts you and lets you vote on whether you think it’s a good or bad change. “It’s like an anti-virus for terms of service,” Deakins says, even though the outcome of such a vote is purely symbolic.

 

Nathan Schor 305.632.1368 ">