Dagens aktivism: fler frågor till fler företag

Idag har jag misslyckats med att kontakta Datainspektionen. Deras kontakta-oss-hemsida har ett trasigt certifikat som i själva verket tillhör nearu.se, en webbyrå som man får anta ha byggt Datainspektionens webbplats.

Jag har också skrivit till företaget VASCO Gmbh som tillhandahåller MyDigiPass - ett autenticeringsverktyg för nätet. Man behöver ett MyDigiPass-konto för att kunna registrera sig på en av kommissionens konferenser för pålitliga kommunikationstjänster 13 oktober 2014 i Bryssel. Tyvärr väcker MyDigiPass många frågor hos mig, som är detaljerade nedan:

Hi Digipass,

I realized I need to sign up with you to sign myself up for a European Commission activity in Brussels, probably. However, on the review of your privacy policies I find myself lacking in understanding of what I'm actually signing myself up to - in order for it to be worthwhile to have a specific Digipass which is not, say, Oauth or similar, it would have to hold considerably privacy or security benefits for me. Otherwise it's just an unnecessary additional log-in.

- It is not clear if my prior consent is definitively needed before you share information with third parties, or whether I automatically consent to having such information shared with a large group of companies when I sign up for the account.
- It seems that your service explicitly does not award the option of not interacting with Google or Desk.com. This is surprising since webanalytics can also be done locally by tools such as Piwik, and greatly reduces the utility of your product.
- You adopt only reasonable measures in accordance with the law to protect security and privacy, but the present legislation is quite flawed so it could generally mean that you're not actually doing much.
- It seems to me that you create a perfectly linked environment where my every interaction with any thirdparty undertaken through Digipass is stored with Digipass and shared with authorities on both sides of the Atlantic subject to their whims. For me, it's an uncomfortable thought to sign up for a digipass account which is specifically designed to track my every interaction through the digital space, and this becomes especially uncomfortable since it also implies additional work for me over using, say, a Twitter log-in or other large American company oauth-functionality.

I realize that some of the technical questions which I put forward are not trivial to solve, but I think your product would be greatly helped by taking unlinkability into consideration. Otherwise the utility of your tool is the same or decreased with respect to much simpler and more broadly available tools for end-users online.

On my laptop I presently run Ghostery, RequestPolicy and NoScript. These applications are blocking Google, Adobe, Facebook, New Relic, Twitter, Amazon, Amikay and Desk.com scripts, trackers or requests, which does not instill me with... The feeling of utility, I guess. I don't even know who New Relic and Amikay are, and even if you've invited me to inspect their privacy policies as well as yours, the time-investment for me personally is immense and I am anyway likely to end up with a similar amount of hesitation with respect to their policies as I have towards your privacy policy here.

Btw, your use of the Google captcha also meant I had to re-submit this message while gradually unblocking more and more scripts and requests for about 10 minutes before I understood what was wrong.

While I want to be happy that there is a European company which is honestly investing in making better online authentication services, I can't see where the added value of MyDigiPass or VASCO:s services would arise other than not being incorporated in the US.

I hope my reflections are clear and useful. I'm looking forward to further interactions!

best regards,

Amelia Andersdotter
+32 470460922

3 kommentarer

Imponerande brav. Mest trött blir man väl på Datainspektionen och Kommissionen som använder dåliga tjänster och har dålig koll. Borde du inte lägga lika mycket kraft på dom två som på Digipass?

Jag kan inte just nu eftersom kontakta-oss-sidan inte fungerar och telefontiden bara är till 15:00.

Addendum: Min ursprungliga plan var egentligen att skriva till Datainspektionen om att Skatteverket inte i sina upphandlingsavtal uppfyllt sina förpliktelser som registerförarare gentemot mig som privatperson, genom att underlåta att ha med bestämmelser om IT-säkerhet osv. Men Datainspektionens "Kontakta-oss"-sidan ger ett 404-fel så jag har inte kunnat skriva till dem idag. Imorgon klockan 09:00 kan jag ringa till Datainspektionen och berätta för dem att deras kontaktformulär inte fungerar, men tills dess har jag inte haft nåt bättre dataskyddsrelaterat för mig än att skriva till DigiPass.

Om jag kommer ihåg ska jag skicka dig ett 10 min blixttal om yakrakning (ja om att raka ett hårigt djur).

Lägg till ny kommentar