Unethical design by negligence

TL;DR: I take two examples of design choices that are problematic in terms of ethics and compliance with the GDPR. Reseplaneraren, a travel planner and FMTK, a fitness app. Both of these apps are from government controlled entities and both are tax funded.

Responsible disclosure note: Research was initiated September 2017, and by October 2017 both had acknowledged that they had received my report. A shorter version of this blog post was published on my Medium blog in September 2017.

Continue reading “Unethical design by negligence”

I’m going to GPN18!


Me at the last Chaos Communications Congress, 34c3.

Tomorrow I will head over to Germany to attend Gulaschprogrammiernacht and give one talk and one workshop. It’s going to be so much fun! I hope to meet so many awesome new people! Four times I’ve been to the Chaos Communications Congress, and I’ve been told GON is the same but smaller. I hope to learn tons of new stuff, and I will wear my LED wearables as much as I can 🙂

Continue reading “I’m going to GPN18!”

Designing systems with privacy in mind

Due to a malfunction a journalist got banned from using her work tool Google Docs. Reporting about wildlife crime, an automated process flagged her content as malicious and locked her out due to violation of the Terms of Service. This happened automatically without human intervention. The system performs analysis in real time of everything we write in our online documents – including this one, ironically (I usually write my drafts in Google Docs). This real-time inspection of my text in Google Docs cannot be turned off because it’s considered a core feature.

Continue reading “Designing systems with privacy in mind”

Under GDPR, the owner of your data is you

The new privacy law GDPR gives a very important change in perspective:

You own your data.

Does it mean that you have the right to force the bank to forget your data, and thus your debts? No, of course not. There are other laws that also come into play. There are laws about data retention at your broadband company, anti fraud laws at your bank, registries that your state keeps. But GDPR switches the basic premise: in the default case, data about you is yours. You loan your data to a company for a limited scope and a limited time.

This means that we who collect and process your data need to design systems that allows for pruning, purging and protection of all data regarding a person. And as we saw in the last article – data that can identify a person could be basically any data. That means the IT business have to step up our game, throw out legacy systems, build robust, predictable and secure systems.

Basically – GDPR forces us to create and use high quality systems.

But wait, does the law force companies to sell only good products? That sounds hard! Yes, it is if the company you’re dealing with doesn’t have a good overview of their assets, their architecture, their business value. If they don’t have smart processes and continuously work on their products, they will risk not complying with the GDPR.


The Air Conditioner Is Watching You

TL;DR: Using metadata, it is relatively easy to find out very intimate information about a person. Therefore it is good to assume that any data in a system is covered by the GDPR. (And if you want to see me go deeper into this, join the HoT69 conference on May 26th!)

GDPR is the new data privacy law that will come into force in the end of May 2018. It’s a neat law that in the best of worlds will help ordinary users to regain control over their data.

A central question for the GDPR is that all Personally Identifiable Information (PII) about a person is owned by that person, and must be protected. But what is PII?

Continue reading “The Air Conditioner Is Watching You”

Informed Consent, Martial Arts and Privacy Data

This article has previously been posted on my Medium blog.

Did you know that Tinder has the right to read all the messages you send in your private Tinder chats? They are allowed to read your pick-up lines and your failed flirts, as well as the hot sex chats that end in exchanging of phone numbers.



 It’s right there in plain text — paragraph 8. And you agreed to it. By ticking the “I accept Terms of Use and the Privacy Policy” box. These “click-through agreements” are common practice, and although it’s not always clear whether these contracts have any bearing in court, they are used as base to collect and process big parts of your life.

In any free society, we have the right to agree upon contracts with other entities. But in my view, this freedom should not entail the right for powerful entities to abuse the fact that the other party rarely reads the 40 page legalese jibberish.

What is Informed Consent?

It is illegal to physically assault another person. Yet, under informed consent, it is perfectly legal to hit someone in the face — It’s called Mixed Martial Arts. Or thai boxing, or ice hockey. Outside the cage these very same people are not allowed to touch another human being — including the person they just punched.

The default setting is that violence is prohibited, but there is also place to temporarily agree upon under which circumstances exceptions can be made. If this were a firewall, this rule would be called “default deny”. In the infosec world, this would be “limiting the attack surface”. In violence or in sex, this would be called “informed consent”.

This is the first part of an ongoing series where I hope to facilitate the discussion about and outline the prerequisites for an Ethical End User License Agreemenet (EULA) under the principle of Informed Consent.

An Ethical EULA:

  • Your personal information, the data and the metadata you produce is owned by you, and can be loaned by another entity by means of EULA
  • The company’s loan of your personal data is limited in time
  • The company’s loan of your personal data is limited in space
  • The company’s loan of your personal data cannot be transferred
  • The company’s loan of your personal data should be opt-in
  • The scope of the personal data loan must be proportional and minimal
  • It must be possible to agree to some parts and not to other parts
  • It must be understandable by the average person

Thing is: if you’re an EU citizen this is already the law.

The General Data Protection Regulation — GDPR — is in force since 2016, and any company that violates these simple principles by May 2018 will (hopefully) be subjected to substantial fines. I believe that the GDPR can bring great things, but I am concerned that advocacy groups and the civil societt are so quiet about what amazing new legal rights we actually are having. A right that is not claimed is not worth very much, and it’s time to step up our game.

How do I propose to do that? That’s the topic of an upcoming article 🙂