Shallow Thoughts : tags : privacy

Fireballs -- an easier variant on the paper brick

I wrote, some time ago, about making burnable paper bricks as an alternative to shredding sensitive paper material that also helps keep you warm in winter.

We recently got pulled in to help with disposing of quite a large cache of sensitive paper, and have discovered a much faster method than the "let sit and stir occasionally" technique.

The trick is to use hot water, ideally with a little soap added. Hot soapy water breaks down the paper quite quickly; the soap helps it break down, and may also help the paper stick together better as it dries.

Stir the mess around a bit, and in as little as a few hours you can fish up handfuls of paper goosh them into nice compact tennis balls. (Though if you can let it sit overnight, so much the better.)

Try to squeeze out as much water as you can, and keep the balls reasonably small, so they'll dry quickly. Ours have been ranging from tennis ball sized to softball sized.

Then put the fireballs out in the sun to dry. We have them on a tarp in the backyard. If anyone visits, tell them it's an art project.

They feel fairly dry on the outside after a day or two, but of course the insides are still wet -- I'd let them sit for at least several weeks before throwing them into the fireplace. Don't want to smoke up the house! Fortunately, with temperatures in the nineties, I don't think we'll be needing the fireplace terribly soon.

Do check first whether your bucket's in reasonable shape. The first bucket we tried turned out to be brittle, and the bottom exploded a bit after putting the paper in. Oops! Brittle Bottom Syndrome seems to be a common fate of buckets that sit out in the backyard for too long.

But at least this photo shows the state of the paper after a short time sitting in the soapy water. I don't think anybody's going to be reading names or credit card numbers off any of these documents, whether or not they're gooshed into a ball.

We're accumulating so many fireballs that I'm hoping to try burning a pyramid of them some time this winter.

Why shred, when you can make paper bricks?

What do you do about all that mail -- junk and otherwise -- with incriminating information on it? You know, the stuff with your name and bank account numbers and such that you don't want an identity thief to get? If you toss them in the recycling (or, worse, the trash), who knows what might happen to them between here and the recycling plant?

Some people buy a shredder -- an electric lump of a thing that sits in a corner and turns paper into streamers. I guess it sounds kinda fun, but it costs money, uses electricity and takes up space. Or you can take all the assorted bits of paper and burn them in the fireplace or barbecue, but that's kind of a hassle and it makes a lot of ash and smoke.

A few years ago, Dave came up with what we think is a better idea: we make the paper into condensed paper fire-bricks, which we then burn the fireplace. They burn much cleaner and more slowly than those bits of paper, and they're fun to make. Here's how.

First, you collect a lot of paper -- we keep a separate wastebasket where we crumple all the papers (no need to shred them).

When you have enough to start a batch, put the papers in a bucket or other container, and fill with enough water that the paper is covered.

Let that sit for a while -- a week or two -- stirring occasionally (maybe twice a day). Ideally, you want the paper to break down to a soup in which you can't read any of the incriminating text. But if you get impatient, you can move on to the next step little early as long as all everything has gotten soft and the paper is starting to break up.

Once everything's soft and soupy, you want a mold of whatever shape you want your eventual brick to be. Cardboard ice cream containers (pictured here) work nicely, or you can use a bowl, a small bucket, practically anything.

Transfer the wet mush into your mold, squeezing out as much excess water as you can. The drier you can get it, the less time it will take to cure. Pack it into your mold as tightly as you can (understanding that if you're using a cardboard ice cream container, it can't take much packing of wet stuff).

Put the mold in a sunny place in the hard to dry, if possible. You can speed the process along by using a mold that lets excess water drain, or by compressing the mush every so often (once or twice a day) and letting any water run out. Early on, we put weights on top to keep the mush compressed, but it doesn't seem to make that much difference.

When it seems quite dry, remove it from the mold. (This mold is an old microwave popcorn making bowl that cracked, so it's no longer good for making popcorn.)

Early on, we thought it might be interesting to pack in some other flammable material, like bits of wood and nutshells left over from feeding squirrels. That gives you a lumpy breccia (the lower brick in the picture) that doesn't burn very consistently, because it's full of holes. Not a good idea, as it turned out.

The upper brick in the photo is what you get if you let your soup dissolve for a long time and don't add any lumpy stuff to it: a nice smooth brick of pressed paperboard. It's okay to add a bit of small soft stuff like dryer lint. But skip the nutshells -- those can go in the compost bin or yard waste container.

Your final brick, removed from the mold, should be a nice homogeneous piece of paperboard. It's still fairly light and not very dense ... but it burns smoothly and cleanly, and doesn't send sparks up the chimmney like those original bits of paper would have.

Save on heating bills? Well, if you make paper bricks all summer, by winter time you'll probably have saved up enough to burn for ... maybe an hour or two. No, this isn't going to heat your home. Still, it's an amusing, inexpensive and electricity-free way of disposing of that pesky printed privacy-pilfering paper that plagues us all.

PII 2011: Privacy, Identity and Innovation conference

I'm just now finding time to write up some of my notes from PII: Privacy, Identity and Innovation last week. PII was a fabulous conference, fascinating and well run. It was amazing to be in a room with so many people who actually care about these issues.

There were two days of speakers and panels, most of them in the same room, which surprised me: usually conferences have multiple tracks to give you lots of choices. But I ended up being glad for the single track. Almost all of the speakers and panels were interesting, including some I might not have chosen on my own. I had my laptop along with some projects I figured I'd work on during the boring sessions -- but that never happened. I didn't even get time during lunch or breaks -- too many fascinating people to talk to in the hallways.

Then Saturday was "Privacy Camp", a less formal "unconference" full of round-table discussions about some of the issues raised during the regular conference. Conversations were lively and informative.

Usually after a conference I have a couple of suggestions for improvement. For PII I really can't come up with anything. The website was very informative (they even had detailed parking information), everything ran pretty close to on time, rooms were easy to find, they had an A/V crew recording everything, and wow, that Thursday lunch. Plus: Best. Badgeholders. Ever. Great job, PII organizers!

And I couldn't help but notice the gender balance: a third of the speakers were women, and by my rough count-of-nearby-tables, women were close to 40% of the attendees. At a tech conference! That's about double most conferences. Most of the women I talked to were entrepreneurs, many with a history of successful startups already, plus some researchers and a few developers.

The opening talk was worth getting up early for: Julia Angwin, the journalist who wrote the Wall Street Journal's excellent "What they know" articles, discussing the research that led to to the series and what they've learned from it.

Later, once the panel discussions got started, the biggest takeaway from the conference was a question mentioned early on: "Were users surprised? When were they surprised?" Sometimes companies say they care about privacy, but haven't thought much about user expectations. Asking yourself this question is a great test of how well you're really protecting user privacy.

Privacy statements don't work

One of the panels I wouldn't have chosen that was unexpectedly interesting discussed web site privacy statements. First, M. Ryan Calo of the Stanford privacy center presented a study on user behavior with regard to privacy statements. They tried several different types, on websites of very different designs, to see what worked best for users. The upshot? "We couldn't test how well various privacy statements worked, because no users clicked on them. Zero."

Then Aleecia McDonald of Mozilla presented a study where they tried structuring privacy statements in different ways to make the information clearer to users. How can you improve on the "natural-language" policy you see on most websites, consisting of several pages of dense obfuscated text? They tried hierarchies where they showed the basics and let users click through to the details; interactive pages where you could expand and contract sections or mouse over a category to see more; colored tables, cute icons, the works. They found that most of the seemingly easier formats were actually worse than the long natural-language expositions no one reads.

If you make the page interactive, users won't expand the sections and won't find the important mouseovers. If you make sub-pages, users won't click through. If you use icons, users won't know what they mean. But too often, they'll end up thinking they understand, making assumptions about the details that don't match what's really in the policy. So most simplified, "user-friendly" policies are actually worse than a dense wall of text.

The only style that tested slightly better than natural-language policies was the "Nutrition label" style, where they presented several aspects of privacy with ratings for how good or bad the site was.

I felt sorry for the two panelists after Ryan and Aleecia, who were there to show off their cool hierarchical privacy statement page designs. They'd obviously put a lot of work into trying to make their policies clearer ... but we'd just been convincingly shown how ineffective such policies really are.

How to be stupid much faster

One panel discussed big data collection, and some of the ways data can be misused. Someone (Beth Givens?) related a story of a family arrested for marijuana growing after their power company's algorithms flagged them as suspicious for their heavy late-night use of power. Turns out they just had two teenagers who liked to stay up late playing video games. Terence Craig, in my favorite quote from the conference, quipped: "It used to be that it took weeks to accumulate that data. Now you can be stupid much faster."

I enjoyed a workshop given by Brian Kennish of Disconnect and Calvin Pappas of SelectOut about their projects. Disconnect arose from a chrome browser extension, Facebook Disconnect, to block Facebook tracking from widgets on third-party sites. SelectOut also arose from a chrome extension, making it easy for users to opt out of all the major advertising networks at once. The workshop turned into a lively discussion of opt-out versus do-not-track solutions, and what future directions might be.

In another workshop, Martin Ortlieb described a Google study comparing attitudes toward privacy of people in several countries. Someone in the audience asked a question about data being collected and held by government agencies versus private companies. Martin commented that attitudes in the study tended toward "I'd rather companies have my data, because then the government might regulate how it's used. If the government has it, no company's going to regulate it."

Assorted notes

Someone mentioned that Mozilla didn't seem to be taking "Do not track" very seriously, hiding it in the Advanced preferences tab, not under Privacy where you'd expect it. Why? Later we heard that Mozilla is listening to those concerns, and Firefox 5 will move Do Not Track to the Privacy tab.

Esther Dyson: "Personal data can be traded; reputation can't. Reputation is not a currency." She was responding to someone who described a business model involving trading reputation points.

M. Ryan Calo: The government doesn't need a warrant to access your webmail if it's older than 6 months, something most webmail users don't realize.

Finally, Raman Khanna observed: kids get tattoos, then when they're older they pay a lot more for laser removal services. There will be data services like that. "You were stupid when you were in college, and you put all this info online. We'll clean it up for you."

A good insight, and it reminded me of the old threat they used to give us in school (do they still say this to kids?) "This is going on your permanent record." Nobody was ever sure what this permanent record was or why anyone would want to look at it. I wonder if mine still exists somewhere?

In Praise of Logical AND. In Censure of Invasive Cookies.

The tech press is in a buzz about the new search company, Cuil (pronounced "cool"). Most people don't like it much, but are using it as an excuse to rhapsodize about Google and why they took such a commanding lead in the search market, PageRank and huge data centers and all those other good things Google has.

Not to run down PageRank or other Google inventions -- Google does an excellent job at search these days (sometimes spam-SEO sites get ahead of them, but so far they've always caught up) -- but that's not how I remember it. Google's victory over other search engines was a lot simpler and more basic than that. What did they bring?

Logical AND.

Most of you have probably forgotten it since we take Google so for granted now, but back in the bad old days when search engines were just getting started, they all did it the wrong way. If you searched for red fish, pretty much all the early search engines would give you all the pages that had either red or fish anywhere in them. The more words you added, the less likely you were to find anything that was remotely related to what you wanted.

Google was the first search engine that realized the simple fact (obvious to all of us who were out there actually doing searches) that what people want when they search for multiple words is only the pages that have all the words -- the pages that have both red and fish. It was the search engine where it actually made sense to search for more than one word, the first where you could realistically narrow down your search to something fairly specific.

Even today, most site searches don't do this right. Try searching for several keywords on your local college's web site, or on a retail site that doesn't license Google (or Yahoo or other major search engine) technology.

Logical and. The killer boolean for search engines.

(I should mention that Dave, when he heard this, shook his head. "No. Google took over because it was the first engine that just gave you simple text that you could read, without spinning blinking images and tons of other crap cluttering up the page." He has a point -- that was certainly another big improvement Google brought, which hardly anybody else seems to have realized even now. Commercial sites get more and more cluttered, and nobody notices that Google, the industry leader, eschews all that crap and sticks with simplicity. I don't agree that's why they won, but it would be an excellent reason to stick with Google even if their search results weren't the best.)

So what about Cuil? I finally got around to trying it this morning, starting with a little "vanity google" for my name. The results were fairly reasonable, though oddly slanted toward TAC, a local astronomy group in which I was fairly active around ten years ago (three hits out of the first ten are TAC!)

Dave then started typing colors into Cuil to see what he would get, and found some disturbing results. He has Firefox' cookie preference set to "Ask me before setting a cookie" -- and it looks like Cuil loads pages in the background, setting cookies galore for sites you haven't ever seen or even asked to see. For every search term he thought of, Cuil popped up a cookie request dialog while he was still typing.

Searching for blu wanted to set a cookie for bluefish.something.
Searching for gre wanted to set a cookie for www.gre.ac.uk.
Searching for yel wanted to set a cookie for www.myyellow.com.
Searching for pra wanted to set a cookie for www.pvamu.edu.

Pretty creepy, especially when combined with Cuil's propensity (noted by every review I've seen so far, and it's true here too) for including porn and spam sites. We only noticed this because he happened to have the "Ask me" pref set. Most people wouldn't even know. Use Cuil and you may end up with a lot of cookies set from sites you've never even seen, sites you wouldn't want to be associated with. Better hope no investigators come crawling through your browser profile any time soon.