So Facebook is not exactly known for protecting people's privacy. Besides many grievous displays of poor security, they have only added decent privacy controls over time none of which matter because you can get to the pictures anyway and every installed Facebook app can get all your data too.

All that aside, assume that setting your privacy controls is still better than not setting them. Facebook pulled a real jerk move recently when it required all users when they first logged in for the day to make a decision about their privacy settings. You had to click to keep your current settings, but if you didn't, it would open your profile up using the new default settings.

Though it doesn't probably change anything in the long run, it's quite satisfying to know that Mark Zuckerberg, the founder and CEO of Facebook, fell prey to his own tactic.

In a bit of very interesting timing, Zuckerberg’s photos have been made public to the entire internet, mostly through a post from gossip blog Gawker, after Kashmir Hill at True/Slant discovered and reported that Zuckerberg was sharing photos with a wide circle — friends of friends — and his event calendar with everyone.

Serves him right.

Facebook did not immediately respond to a call seeking comment about whether Zuckerberg’s changes to his privacy settings were deliberate, leadership-by-example-style actions. But in a status update on his profile (pictured above), Zuckerberg says he sets most of his content open and “didn’t see a need to limit visibility of pics with my friends, family or my teddy bear ”

Sure… He claims that he didn't mind that they were public and that he did it on purpose. Of course it wasn't proof positive that the settings changes are confusing and designed to nudge people out of their privacy into the public eye. Still, some would claim foul.

But why did Zuck suddenly decide to be less private than two months ago, when his settings were uber-private? You couldn’t even friend him before, and you certainly couldn’t see him shirtless..

The fact that Zuck drastically reduced his privacy settings makes me think the Facebook CEO did this accidentally, and now doesn’t want to change back for fear of the resulting PR disaster.

I wonder if Zuckerberg is regretting this move now. He can't go back towards privacy without making it seem that he's a hypocrite. Still, you have to wonder if he's going to start posting less information to his event calendar and photo albums than before since it's been forced for PR reasons to remain public.

Tags: Data Abuse, Facebook, Mark Zuckerberg, Sweet Justice

If you were aware of the many companies that track you around the web and use the profiles they build on you to send you targeted advertising, you probably didn't know that you can opt out of this tracking one at a time with many of those companies.

How convenient.

While I suppose it's very nice that these companies will stop taking your private browsing habits from you without your knowledge or permission if you go through their hoops to stop it, there's a much easier way. A privacy-minded geek helpfully compiled a list of all the opt-out cookies that the ad networks look for to flag you as someone who shouldn't be tracked.

Further, he modified a free Google app that restores certain cookies after wiping your cookie files to preserve the opt-out cookies. So install BEEF TACO and you will better avoid being tagged and tracked like an animal online.

You can install BEEF TACO here.

Tags: Data Abuse, Firefox

Rebates are those deals where they promise you a super-low price, sometimes FREE!… buuuut you have to jump through a few hoops first.

Why Stores Like Rebates

You may have wondered why rebates instead of just a discount? Either should be a tax write-off for the company offering them, but there are specific advantages for companies in offering rebates:

Even if you manage to get your rebate, the company that issued it gets to have your money and keep it interest free for 4 to 6 weeks or longer. Better yet (for them), they get chance after chance after chance to keep your money forever:

• If you buy the wrong item, buy it during the wrong dates, send the wrong paperwork, fail to cut off the UPC code from the product packaging before you throw the packaging away, forget to mail it, or just mail it after the cutoff date, you lose.

• If it gets "lost in the mail" or carelessly handled by the rebate company, you lose.

• If the rebate check gets lost in the mail back to you or you forget or lose the check before you can cash it, you lose.

Best of all, the companies require a decent amount of personal information and seldom provide a privacy policy or indication of which data is optional. If they provide a form asking for information that you don't feel is relevant, you could skip it, but then run the risk of having the rebate refused. Once they have your information, without any law to the contrary, they can store it, profile you or sell it to other profilers at their convenience. It's basically the same as a forced registration.

So let's sum up, they get your valuable personal information and in many cases get to keep your money too. So they win big and you lose big which doesn't sound like a very good deal to me.

As far as I'm concerned, unless it's an instant in-store discount, all rebates should be illegal.

Rebate Tips

Until and unless that ever happens, here's what you should know about rebates to increase your chances of getting the money the promised you:

• Read the rebate form's legal details and make sure that it doesn't have any nasty loopholes or policies that you didn't expect.
• Check the model number of your product and verify that it's specifically listed on the rebate form.
• Check the effective dates of the rebate to make sure you're buying the item during the rebate period. If it's expired, but a salesperson says the rebate has been extended, have them show you the new rebate form as proof.
• After buying the product(s), immediately fill out all forms, cut off the UPC codes, and put each rebate in an addressed, stamped envelope ready to go out the next day.
• Make sure that if you have multiple rebates, you send the original copies to the ones that ask for the originals. The others should say "copy of". If two ask for the original of something, call the number that should be listed on the rebates to get clarification.
• Make sure that you keep copies of everything. Scanning them into the computer is a great way to do this. It's also a good way to make the copies you need.
• Make sure that you wrote the correct addresses from the rebate forms to the envelopes.
• Keep a log of each rebate, the date that you expect the money back, and the phone number (or other contact information) listed on the form to call if it doesn't come back in time. Write each on your calendar and call them immediately if they're not back in time. Keep records of every person you talk to and what they say (record it if you legally can).
• For large rebates, send them certified mail so they can't claim they didn't receive the information.

In Conclusion

If that seems like a lot of work to get your money, it is. The point that you must remember is this: if you aren't the kind of person to carefully work through all your rebates and follow up if there's a problem, you're probably better off not bothering with rebates at all. Just stick to the lowest price in the store and be done with it.

Tags: Data Abuse

At first you might not believe me when I say that your information is valuable. Where you eat, how much you spend for Christmas, your struggle with weight… all these things give companies an advantage in convincing you to give money to them and based on history, companies are only too happy to use every advantage against you so long as they make money (extended warranties, Product Rebates, Gift Cards, etc.)

So the new cash cow is private information about people that will help companies sell things to you more effectively.

Step 1: Get as much of your data as they can.

While doing business with someone, they ask for information they don't actually need for their business. Sometimes they do it to support planned future capabilities and sometimes they do it for targeted marketing. And in some cases, they just sell it to someone else for some extra cash.

It happens all the time, but one of the more egregious examples I've personally seen was a small video-rental store who asked for your social security number as part of the sign up!

The best way to do this of course is to create a site or service where you will choose to volunteer personal data about yourself for no particular reason. For example: Facebook. Facebook openly uses the information in your profile to target ads to you sometimes in quite insulting ways:

With the knowledge that I was engaged to be married, the site splashed an ad across the left side of the screen playing into a presumed vulnerability. Do you want to be a fat bride? You'd better go to such-and-such Web site to learn how to lose weight before the big day.

Which brings us to step number 2…

Step 2: Use all the data to market to your interests (and also your weaknesses and insecurities).

The Risks

Even if you don't see a problem with the companies you do business with capturing and storing information you didn't give them permission to have, what about when they sell it or lose it. That's the basis of the ID theft problem which exists because of one kind of data broker, but those are carefully regulated now and only capture one kind of data.

What about some of the other possibilities that arise when there are "citizen files" out there for anyone to have and use?

Manipulation

Companies complain and moan about how they need all this data to "tailor your experience". What that means is, "exploit you where you're weak" and make money from you.

A company that buys the customer list from Jenny Craig might guess that you have weight control problems and send you advertisements for diet plans and pills, or worse: catalogs for gourmet chocolates. If your purchase records show items like newborn diapers and formula, perhaps now is the time to hit you up for contributions for college funds and insurance.

Even worse, what if I decide I don't like you for some reason (damn you, you took the last donut in the breakroom!), but I know that you're a recovering alcoholic (saw it in your profile). Your Facebook page says your wife and kids are going to be out of town for the weekend so what if I drop a "gift from a friend" on your doorstep for you to find in the morning? Specifically a wine sampler or kegger.

I could literally destroy your life just by pushing you in the right place at the right time.

Exclusion and Prejudice

Let's say you have AIDS and many people don't understand the disease. If your doctor or hospital shared the information with marketers (or if your purchasing records show AIDS-related medication), it could spread. Maybe your gym would cancel your membership fearing the backlash if others found out. Maybe your kids would get kicked out of school by an administration that doesn't understand the risks. Maybe neighbors would start vandalizing your house thinking you've got the plague.

Think that's extreme? Didn't you ever hear of Ryan White? Or take a quick stroll through US history to find that census data was used during World War II to identify Americans of Japanese descent for internment. They didn't even have a communicable disease, they were just foreign!>

Crime

How easy is it to stalk you if your name and address are always avaialble from the nearest data broker?

If I have access to your credit card receipts or your "shopper card" records, it's easy for me to see whether you have stuff worth robbing.

If I know your annual income is off the charts, perhaps I can arrange to have your son kidnapped (which becomes even easier because I know your daycare provider's name is listed on your credit card statement).

Fixing the problem

A citizen should be able to control their own data. This does NOT mean that you should be able to just correct data, but that (minus being involved in crimes) you should exist in no databases against your will. All services should be usable without any personally identifiable information, or in the cases that such information is required (such as delivery of an item or billing), the data should be erased from all records, databases, backups etc. upon completion of the transaction.

For example: public libraries and video rental stores keep records of what is checked out, but they have no business keeping that data once the item has been checked back in. This serves no legitimate purpose and should be disallowed. They can keep information on what was checked out and when for organization and statistics, but the personal information should be removed.

Another example: If I make a credit card purchase online, I should not have to worry that they are keeping my card on file against my will. It should be used for the transaction only and then purged.

And another: I should not have to create an account with any web store just to make a purchase! Forced registrations are identity abuse and have no legitimacy in a consumer transaction. If I wanted to provide my data for easier checkout on return business, I would do so!

So, put simply, there needs to be stiff regulation of the storage and use of data.

They Can't Lose Data They Don't Have

There's a very simple philosophy I follow when it comes to data security. It doesn't matter how bad the security is or how smart the hackers are, if a company doesn't have my data, they can't lose it.

So remember every time there's a data breach and millions of customers' credit cards are stolen… It's not smart hackers, it's the data abusers who stored your information in the first place.

Tags: Data Abuse, LexisNexis

The sick thing about this story is that the spyware wasn't a hack against these companies, but was planned and sanctioned by the companies.

Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable. To join the "My SHC Community," users downloaded software that ended up grabbing some members' prescription information, emails, bank account data and purchases on other sites. Sears called the group that participated "small" and said the data captured by the program was at all times secure and was then destroyed.

Remember that there are no laws currently to protect against the abusive data collection and sharing practices that many companies employ. Be careful with your data and don't trust even the most reputable-seeming companies to choose your privacy over the almighty dollar.

Tags: Court System Failure, Data Abuse, Dishonest Companies, FTC, Kmart, Sears, Shopping Online, Spyware

This is so wrong, I barely know what to say. I sure hope this trend doesn't start to catch on, because a lot of people would give up the information when they're pressured instead of doing the right thing and refusing.

"Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc." the form reads. But Bozeman isn't simply interested in finding out where to look for potentially embarrassing personal details; the city wants full disclosure, since the form demands username and password information for each.

This is way worse than all those sickening social networking sites asking for your e-mail address password.

Tags: Bozeman, Data Abuse, Facebook, Google, Job Application, Montana, MySpace, Yahoo, Youtube

They had it, they shouldn’t have, now they lost it. Same story all over.

The funniest part of this is that they’re trying to convince their public that it’s a good idea to have a national ID card containing even more data and that they’ll be responsible with that data.

Said someone from an anti-ID card group:

“It’s inevitably good news for our campaign because it proves to people that this government, and indeed any government, cannot be trusted with this amount of information. For 25 million people this is a catastrophe but it is just a small herald of the national ID scheme which would mean a potential catastrophe for 60 million of us.”

Tags: Big Brother, Data Abuse, National ID, UK

When this guy tried to sign up for Comcast cable without providing his Social Security Number, they harassed him saying that they were required to ask for it under the Patriot Act. Deal with this by first finding out what they're going to do with it and how they're going to protect it. I would most likely use the '0' trick or just make sure your credit reports are frozen and they wouldn't be able to run credit on you even if they tried. Tags: Comcast, Data Abuse, SSN

TJX, the company that is known for having the largest data breach in history (so far), has not implemented better security and might have gotten worse. The employee that blew the whistle on them has been caught and fired for it.

TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords.

Hey! That probably means they'll find THIS page. Sweet.

If that's the case, then here's my message to them: Stop storing all that personal data about us against our will and you won't have to pay for more security. You can't lose what you don't have, duh!

Tags: Careful What You Post, Data Abuse, Kill the Messenger, TJX, Wireless Security

TJX has settled under charges that they had insufficient computer security protecting their systems, but the only thing TJX must do under the settlement is upgrade their security. Woo.

And this:

“By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure,” said FTC Chairman Deborah Platt Majoras. “Information security is a priority for the FTC, as it should be for every business in America.”

Tags: Data Abuse, FTC, TJX