Saturday, January 22, 2022

Google Security Problem: 2022

 I am heavily dependent in my personal life on the Google suite. All of my archives (notes, tax returns, email communications, everything!) is kept in Google Drive.  On Thursday night of this week, around 10pm, I lost access to all of it.

My iPhone Gmail app was suddenly empty. Usually, I have thousands of emails, now there were zero.  I couldn't open Google drive on my phone. I couldn't reconnect to my Google account. The Google message simply was: "Your password was changed in the last hour."

Thirty six hours later, I finally recovered control of my account.  It was a terrible day and a half for me. I would wake up like I have following some of the terrible events in my life (deaths, divorces, getting fired) with that weird feeling wondering if the bad news was there or was it just a bad dream.  Here's what is weird and terrifying.

1. I was totally prepared and had taken almost all the precautions that could and should be taken. Nevertheless, somehow my account was taken from me by someone or something changing my Google password. I was locked out!

2. Nobody cared. Or seemed to care. Google has some nice pages on their website about account recovery and probably, behind the scenes, some superb techniques and maybe human review. But there is no visible case management, nobody seems interested in learning about my case. At the end, I wonder if Google cares about this personal disaster of mine. The fact that I pay Google a hundred or so dollars a year for extra storage space did not seem to make any difference. I'm not saying it should, I just mention it since a relevant question is: "Why should Google care about you, you are not a paying customer of theirs." But I am!

First, my preparation. When I go to the page on security at Google, it reports no suggested actions.


 I have a back-up phone and email for identity verification. I have the Google Authenticator on my phone (which was never used in the process). I have only given two apps direct access to my Google account. One is Dropbox, the other is one that I use to post to my blogs from my phone. Google didn't flag either as a security risk.

What happened? On Thursday night at dinner, I realized I couldn't see my mail. As I checked, I  realized that I had a problem. By 11pm, I was back home and I stopped working from my phone and went to my computer. 

My computer has dual factor authentication on it to just open it.  So it opens an app on my phone to verify my identity just to use it.  I only use work computers these days and this system is set up and maintained by corporate IT. Those are the only two devices that I have used in the last months (actually, there are two computers, both with dual factor authentication) to access my Google account in the last year.


 

The Google recovery process involved an easily findable page which asked me for my password, then reported it has been changed, then asked me for the most recent password that I remember. 

 


It then kept asking me for a phone number to verify my identity. I would get the text, enter it, and it would say that Google needs to verify the account which will take 48 hours. Forty eight hours! In the modern world, that is a long time to not be operational! What if I was on a trip? Google would also have a note that if you were in a hurry and on a device and browser that I had logged in from recently, I could accelerate it by trying again. So I would try multiple times since Google seems to suggest that repetition would help. After a few tries, I would find that it would lock me out saying to many attempts. IMHO, Google should modify their wording there so that people try the optimal number of times.  I would try to many times urged on my the if you are in a hurry message, then wait six hours and repeat.  

I had setup one recovery phone number and two recovery emails. One email, Google didn't list as an option and wouldn't seem to use when I entered it as a way to verify my identity so it did not help. The other email was on file but it was actually an email alias from a domain and email address that I own that was set up to forward to my Gmail account so it was not easily used in this situation where I had lost access to the Gmail account. This was the a mistake that I feel that I made. I should have had easier to use recovery emails.

After half a day, I figured out how to login to the web email service associated with my domain and reset it so that it stopped forwarding   emails to a Gmail account that I couldn't get it.  It has been set to forward and delete. I turned that off and now I could login with webmail to use my account. I couldn't see the emails from the previous few days which would have helped me to look for security problems. This is another step that I will take.  The reason it took me a day to get into this is that the info on where my domain is hosted and how to login to it is kept in my....Google docs! So I couldn't get to the info that way.  I had to look it up through another backup system of info that I maintain. I will revisit this too.

Root Cause Analysis. So this morning I got in, reviewed all the emails that went into my account looking for damage and malfeasance. And I'm writing this summary, considering all my different steps and precautions and my plans going foward. 

 

I checked the Google security info inside my account and I found that the password change was done by my phone. My iPhone  has a six digital security code on it and facial ID, was in my possession at all times.  So who did what?  Google reported two apps that had access to my Google account and it did not flag either as sketchy. One is Dropbox. The other is a great app for posting on this and other blogs when I'm mobile. I'm thinking it could have been the problem so I removed its access and will not give it my Google account login going forward. I might create a special blogger editor account for it so it will only have access to help me with the blogs.  

Now back to my claim that nobody seemed to care and that maybe, Google doesn't care. True? Overstated? Wrong Question?

Has Google already processed the event taking inventory of all my account info noting that there was a security problem and that an unwanted changed password happened on an iPhone with two apps that have access?  Does Google already know about all the other apps on my iPhone checking to see if there is a pattern of issues of apps on phones and security?

These questions are important ones and Google, secretive and mute, gives no clue as to how seriously they consider this sort of problem. The sum total of the communications from them to me after this serious and terrifying experience was an email about a new password and that congratulations, your account was recovered.

Now that I'm back inside my Google account, I have found one path towards some potential human help.

It turns out that I can get to a 2-3 minute attention from a "Google Expert".

 


When I do, I will ask them about what they think actually caused the changed email. There, I will use the number of the one app that had access and see what they think. Or is it another app on the phone which did not have access but somehow picked it off and used it to change it?

The weird thing that I'm trying to understand is whether, once I was hacked, did I have access to these account features to help me with recovery? Is it possible that this sort of help is only available through the account which of course, I couldn't get into and so I could not access?  I'll ask them about this too. If the service was available to me, I wonder why I never found it? Human error and lack of thoroughness by me?

It seems like by being a paying member, I am a Google One customer and we have some sort of access to help.  I've now at the top of the queue to chat (it was about 15 minutes long) and my expectations have been set to have a 2-3 minute.  My chat started 8 minutes ago with me saying:

I have now recovered control of my account and am looking for root cause of the stolen password.
My Google account reports that my password was changed (not by me) from my phone which has always been in my possession. So how did it happen? I had given access to "*****" to my Google ID on my phone. Could ****  have been the problem? Or is there another way that an app on my iPhone might have changed my password? The whole incident has been documented here:

https://www.blorum.info/2022/01/google-for-consumers-2022.html

Since then, 18 minutes of silence from them. Not even a murmur to assure me that it's still a live chat. I think I'll check with: "Are you there?"

 

Heh Google, really crappy chat. What gives? Do you give a damn or not? Now I"m PO'd.

I received a few days later, a Google survey asking how satisfied I am with their support efforts.  I said that I wasn't and directed them to this blog post. They also asked if I would be willing to be contacted to provide more info, we'll see if they contact me again.

I'm still researching these questions about how it happened. Here's some articles relevant to how do hackers steal your google password.




Monday, June 14, 2021

Diversification and Asset Classes by Economic Strata

 Let me start by saying I am just writing for my own clarification. This is not advice. I'm not qualified really to handle my own investments, never mind advice anyone else. For clarity, get your advice from a professional.  This is just me noodling.

The foundation of investment strategy is diversification both within and between asset classes. It's not finding hot investments, that's gambling. Investing for non-professionals is best done (per Swanson and tons of other smart investment advisors) by picking the right diversification strategy and then some low cost well run index funds (Swanson swears by non-profit investment mutual funds but he wrote prior to the super low cost index funds)

Simple: for people with some wealth. Let's say $100,000 to $1,000,000.  The truism for these people is to balance equity and debt. If you are younger and saving long term, tilt heavily towards equities. Maybe 80%. Maybe more.  Inside the equity pool, focus on index funds.  Get a selection of obvious ones perhaps mostly the US equity market (S&P500, perhaps VOO) and a smaller percentage in global developed (EAFE: non-North America public equities) or emerging (don't have an example).  The S&P index fund probably has all the diversification you could need. If you'd like you can subdivide the sectors; Example, you can distinguish between growth investing and value investing (what index vs what index) but I'm not sure there are great index funds that make creating this distinction worthwhile. For debt, it's tricky in the modern world since T bills pay basically nothing.  And while everyone agrees that in the future, there will be an interest rate, the problem with holding T bills now is that as the interest rate reinstates itself, the value of existing T bills will shrink. So, is there any value at this point in holding debt? Why not simply a money market fund?

Complicated. People with more wealth and who want to generate enough cash to live on. Retirees. $1 - $5M in total portfolio savings including IRAs and 401Ks. This is a huge group. Boomers largely watched fixed income retirement plans disappear (in the 70s-2000) to be replaced with 401Ks and IRAs so retirement became largely self financed, not counting social security which helps but for professionals with a certain life-style, it's not nearly enough.. This means that there are tons of couples who have millions in retirement savings and are trying to figure out if they can live on that. Many would like to live off the income from these savings so that they can pass it on to their children. For these people, how should they be invested. How should these people think about diversification?

Wealthy People. A third category would be people who have enough wealth (over $5M right up to 10x that) so they can invest in some number of totally illiquid investments with a longer term perspective with higher risk/return ratios.  How should they think about diversification across asset classes on criteria such as:

-    liquid vs illiquid
-    debt vs equity
-    domestic vs international vs emerging
   real estate vs corporate
-    sectors such as agriculture, tech, etc
   growth vs value
-    income vs growth

Related points for these people are tax and estate planning.
There are some pretty good articles that I can find on the first category, a few on the second, but I can't find a single good article on this third category in terms of diversification strategy.


Small Business PR

 For many years, I invested almost nothing in PR. Then, at one point about five years ago (maybe around 2015), I thought about using PR to simplify our hiring. After that, with the pandemic, homeschooling became big news.

Local PR for Local Hiring - This worked pretty well. I made a point of speaking at the local business groups where the marketing and engineering types that we were interested in would see our name. I also personally did some PR and even local advertising to support this. We took some billboards and put some ads on NPR (our local affiliate is WLRN).  I spoke at some business promotion groups locally giving a speech up at FAU (organized by the Ten Golden Rules guy), a talk at Citrix organized by <what's the name of htat group?>, and so on (I never spoke at SFIMA nor at ??? the directo marketing group) etc etc. I got stories in local blogs, newsletters, Ft Lauderdale Biz News,  and Ft Lauderdale Sun Sentinel.  Plus tons of social media..

Pandemic Time: Homeschooling is Big News: By April 2020, we had decided that we could contribute to the national discussions and hired a PR firm. We hired and I started doing press. Generally, I pushed for focusing on using moms local to the news story which everyone agreed with as more engaging and convincing.  I tried to remain in reserve to use when they wanted a business talking head. Generally, the campaign seemed successful with three big caveats.

  1. Me as a talking head spokesperson. While I'm comfortable with a live audience as a speaker, I'm awkward with a camera and a soundbite. Despite good training by the PR team, I seem to have a crooked smile, a shifty gaze (glancing at my script or notes), and to be long-winded.  I'm working on it. In response to a request for a few minute speech, I just developed a new recording style in which I simply write myself a list of points. And each point is a separate take (entrepreneur talk on 5 points). This solves the "speech" problem but doesn't address interviews. I wish I had thought of it when I got to give the Time4Learning Graduation Celebration speech (my part starts at minute 36).
  2. National Press. We've only succeed with the regional stories and had a paid insert in USA today and a huge run with one AP Press story. But mostly, we've gotten coverage in regional press especially in South Florida. If our goal is press for SEO purposes, this is pretty good.
  3. Impact? While the agency makes a good point of routinely documenting that hundreds of thousands or millions of people are exposed to these stories and our name, I've seen no evidence that it helps our business in terms of name recognition, stimulating follow-up by potential customers, or selling customers.  We recently cut a sponsorship of a TV program (The Cat in the Hat Knows a Lot About That) since while the numbers of people who saw our initial 20 second blip was huge, it seemed to have no measurable impact anywhere after six months.  While the PR effort for exposure is cheaper in terms of total monthly cash, it's also a ton more work. One added bonus however has been very useful work and thinking from the PR firm where thy function also as a marketing agency helping with message refinement and projects.
    1. Anecdotally. I never hear from anyone that they have seen our stuff. I know people everywhere so this seems weird. Especially since I know tons of people in SoFlo.  Is old media just dead?
    2. None of our marketing tracking tools have shown any surges related to where the stories ran.
    3. Our SEO team has not shown that the additional links and citations have been picked up, recognized, or counted by the search engines.
    4. Even in social media, while I see mentions by our team, they have never seemed to have any real momentum and get large numbers of links or shares. Is there a way to spin these stories to our audience which might encourage them to share the story. Many parents talk about other family members or community's skepticism about their homeschooling direction, could we write and share a link to these stories in a way that would get shared?
  4. The PR effort is very much a traditionally media focus. Except for a podcast (which had a tiny audience), it's focused on TV, radio, and newspapers. It's not designed to get big coverage from online websites or social media. Does PR of that sort exist?  Or does that really just mean doing paid work with influencers. We use to work with bloggers very effectively, both large and small. Recently, I haven't seen any real focus or success on it.

Thursday, June 10, 2021

The Comfort Zone and Learning

 I'm reading a book called License to Learn by Anna Switzer.  It's a great interesting book that blends personal experience with academic thinking and the learning sciences with some psychology. Pretty ambitious, illuminating, and engaging.

  To be honest, the first chapters annoyed me at their simplicity and the way that illustrative graphics were being used.  My complaints:

- the image of a comfort zone surrounded by a discomfort zone and then a panic zone seemed overly simplistic (I'm using different terms that were probably used in the book).
- I imagined that rather than a series of concentric circles, the concepts behind comfort zones should be shown on the initial graphic such as an X axis that maps high to low familiarity with the situation. And perhaps a Y axis that goes from no expectations to high performance, or significance or something. In this map, the lower left quadrant would be the high comfort zone.

 BUT, as I got to the next chapters (and they are short several page chapters), the analysis and imagery grew more sophisticated and addressed many of the issues that I was having with the opening.  As an editorial suggestion, I would have liked a note early on that this model will become more sophisticated in the upcoming chapters.  

Overall, I like the book. Even if I tend to think about graphics being more analytical and illustrative of underlying dynamics.

 I tend to think of these sorts of questions in light of some of the work that I do. For instance, in math education, a huge fork in the road starts with the math facts. Some kids really dig in and memorize the math facts effectively. They become fluent and proficient. This gives them enormous confidence as they go forward with math.  Many other kids do not become fluent which leads them to often have trouble following the conversation around math.

Look, we have three cars each with four wheels. These wheels each cost $200.  How much would it cost to buy new wheels? So, three cars times four wheels par car means that we have 12 wheels. The 12 wheels would cost twenty four hundred dollars.  

For kids fluent with math facts, this is pretty easy to follow. The kids lacking proficiency were unable to follow where the 12 wheels came from. These kids are the ones who put their head down on the desk in frustration and tune out.  

Of course, there are many reasons that kids do or don't become fluent. And of course, Mazlo before Lazlo is a powerful vision of what is realistic in planning a better educational system. YET, the data around the approach of Reflex Math defies that logic in that kids from every social economic strata seem to advance through the game-based learning program towards fluency at the same pace. Somehow, the engaging games and the part of the brain used for math resists the usual logic that kids' performance will generally correlate with socio economic strata. This is of course a very peculiar type of learning which could, perhaps be less affected by ACE type trauma?

For homeschoolers or study at home, Reflex is available as Time4MathFacts, with games to learn the multiplication times tables and the addition / subtraction math facts too.  

Wednesday, March 17, 2021

Creating dialogue. Stimulating Students

 The best teachers know how to solicit engagement from students.  It's not the dumb obvious way. Here's a few tricks which I lifted from an article by Mineralla on Medium.  Thanks!:

https://msminarella.medium.com/

When I showed a quiet kid a picture of an elephant and asked “what is this?” they got bored, moved on, cried, anything but answer my question. But if I said, “this is a giraffe” they would all stand up and scream “no, that’s an elephant!” — and suddenly they’re all engaged.

By being ignorant about a topic they are knowledgeable in, it gives them some authority in the conversation and that builds up their confidence.

It works surprisingly well on adults too.

If I ask a stubborn adult, “tell me about your Engineering job” they will typically respond with, “I design systems”. And then I have to ask an endless stream of follow-up questions with one-sentence answers — which no one likes doing.

Now, if I say something inaccurate along the lines of, “so, you’re an engineer. That means you build engines, right?” They can’t correct my ignorance fast enough. They’ll go into detail explaining what an engineer is, what it isn’t, and what kind of engineers there are. All I have to do is chime in with “are you sure?” every few minutes and they’re talking up a storm for the rest of the conversation. 

I'm thinking about this as we work on our elementary student-facing curriculum for science and social studies.  Point: bore the kids by being a predictable authority, it might not work. Engage them with clever questions that give them some opportunity to show what they think and what they know, we might get them engaged!!!

Friday, February 26, 2021

Thursday, February 25, 2021

Wednesday, January 06, 2021

January 6th, 2021: A Day That Will Live in Infamy

January 6th, 2021 is a day that will live in infamy.  The lying, reprehensible, and dangerous behaviors of the last years were laid bare before America and the rest of the world.  Americans should and do feel ashamed.  And scared.

Before I review some of the others, I'd like to also point out that in some ways,  January 6th, 2021 was a great day for the American democracy. Again, we completed fiercely contested high stakes elections. The results of the two Senate races in Georgia were announced and one of the losers followed the  proud American tradition of conceding his race and congratulating the victor.  A newly elected Senate and House of Representatives took their seats of responsibility and started working.  The national election results were, despite astonishing drama and obstacles, ratified.  The Congress overall rose to the challenges and occasion and acted promptly, with determination, and with their eye on the big picture All of this, like every time the awesome American democracy works, brought tears of pride and awe to my eyes.

The stains and horrors of the day were very real and open up many many questions.

  1. Donald Trump, the current president, continued to lie about the results of the November 2020 election. It's unclear to me if he is delusional,  unanchored from reality. Or, is he cynical and amoral and calculating? Is this just a plot to continue to gather hundreds of millions of dollars from the gullible, to build and flaunt a fearsome mob (like the Brown Shirts), and to try to use his mob and position to overthrow the American democratic process and stay in office? Did he start cynical and become unhinged? Whatever understanding Trump may or may not have, on the 6th, he openly tried to use mob violence to overthrow or intimidate Congress. He sent the mob to attack the Congress. This seems like a sedition to me which is a criminal felony.
  2. Trump Political Supporters. Through-out the day, some US Senators and Congressmen continued to support Trump's tactics of spreading lies and attacking the American institutions that protect us.  Senator Ted Cruz showed formidable oratory skills and a total commitment to amoral cynicism. He argued that the success of  his and Trump's lying to Americans about the election is so great that they have now created so much confusion that maybe the will of the electorate does not have to be followed because they have made it so confusing by lying to them so Cruz proposed that we not certify the election. There were many others, particularly in the House of Representatives, who pursued this line of pandering and perpetuating  lies. To be clear, the confused Americans are confused because people who they should be able to trust are lying to them day after day after day.  If these politicians wanted to help the public understand the reality, they could speak the truth and stop lying. Is there a legal or other recourse to muzzle this lying?
  3. Also during the day, around eight Senators decided that they had played with poison and fire long enough. Most prominently, Linsey Graham found he has a conscience or a backbone and renounced (after many years) his self proclaimed position of being the biggest supporter of the liar-in-chief. Better late than never but it's unclear to me whether there is any forgiveness for him from colleagues, the public, or any deity who may judge.
  4. A mob in the hundreds of thousands, summoned by Donald Trump to Washington, to have a wild day, to be strong, and to stop the steal, acted at the bequest of Donald Trump. How this culpability of Donald Trump is going to be dealt with by the government is an open and widely discussed question. I want to move onto another one, what about all those people in the mob?
  5.  The Mob Goes Unpunished? If I tried to rush into a restricted secure area anywhere, including and especially the Congress, I would expect to be clubbed, tased, taken roughly to the ground, and have my hands cuffed behind me. I would expect to be incarcerated and to spend the rest of my life carrying the burden of being a felon. If I broke windows and defaced a Federal building (never mind desecrating and defiling sacred spaces), I would expect time behind bars and vast fines.  I'm dumfounded that this not underway. I get that there were some problems on January 6th, but when will the law enforcement agencies announce that they are starting to arrest and process the perpetrators? Where are the videos of the perp walks where these individuals are taken into custody? Where are there mug shots?  The photographic and other evidence of crimes is so clear, I do not understand the delay in starting this process. I think these are Federal crimes so wouldn't the FBI and the other federal agencies have jurisdiction and be able to start these processes?  
  6. What happened to security on the 6th? There are videos of Congressional cops opening barriers to let people in.  Were they sympathizers? Were they trying to limit violence by conceding ground? Who was making decisions?  Who decided to have small scale security with a large scale mob  marching their way? As a Federal City, did Trump have some say in this? Were the security decision-makers controlled directly by him? Were they sympathizers?  Incompetent?  The investigation into this is a huge priority especially with the inauguration so close.
  7. Communications. Apparently, the mob and those types have migrated from Twitter to some extremely private and secure community communications packages. I assume that these are scanned and infiltrated by the FBI and other antiterrorist organizations.  If these communities are planning treason and crimes, like they did yesterday, they should be dealt with. These packages are ultimately just software and their access to networks and resources can be shut down, they can be blocked on cell phones, and they can be disabled. We are way past the point where there is any question of whether they represent a viable threat to safety. There are many limits on free speech including when it slanders, threatens the US and its government representatives, and endangers lives.


Wednesday, December 09, 2020

Feedburner. Cool Name. What to do?

 I have some hobby blogs (like this one) that I have kept up on Blogger since around 1983. Or it feels that long. One one of them - https://www.AmusedByJokersAmi.com (also known as jokercollection.blogspot.com ) - there is a feedburner widget which supposedly sends out my blog posts to my subscribers. 

I'm not sure it's working any more. I clicked around and found this:



 Uhg, there are an indeterminant number of people who were in that system. Feedburner seems impossible to login to. What to do now? Just remove it? Start again with what?


I just tested the signup feature to see if I could use it to subscribe. It seems that I can.
But how would I login and see my subscribers, the number if not the actual names?

I just realized that this blog also has a feedburner widget. It says it is owned by a corporate account that I still have access to. I'll try to access it.


Feedburner does seem active in that I got an email confirmation email that clicked thru properly.



BUT, the feedburner account in use relates to an old Google account and while I'd like to switch it to the new account that manages the current blogger set-up, I cannot begin to figure out where and how I would do such a thing... Help?

Wednesday, December 02, 2020

Is Privacy Bee a scam or legitimate?

 I run a small company and have in the last months, received a few very intimidating legal notices from a firm called Privacy Bee.  

They've caught my and my counsel's attention because while they claim to be protecting people's privacy, they cite individuals that my company has never done business with, has not emailed, and has no records of. 

We have spent considerable resources checking and double checking our lists so we are sure that we are not keeping records of them or direct marketing to them so we don't know what to make of it. As I look at them and see that they are charging a subscription to users, I wonder more and more about them.

Privacy Bee is one of these highly automated web companies which is incredibly buckled down and private.  .No individuals are listed.  For those of you not familiar with this, it's sometimes companies that are doing something controversial and nobody wants their name actually associated with it. Specifics.:

  1. The Privacy Bee website does not cite a single individual who invests in the company or works at the company. NO executives, no president, no individual to address legal concerns to. Nothing. Even the fine print, nothing.
  2. LinkedIn shows no individuals working there.
  3. Webhosting info is carefully managed so no individual can be found (I think btw, they are not in compliance with the need to make these records transparent). https://whois.domaintools.com/privacybee.com
I looked at their signup process and saw this:


The letters that I've received from them talk about protecting the rights of individuals. On each of the two sets of emails that I've received, an individual whose rights they claim they are protecting is cited. A good amount of information from the individual is provided including:
  • Name
  • Email
  • Date or birth
  • mobile cell phone
  • secondary phone number
  • home address
It's of course odd that a company, protecting privacy, will circulate such information about them.

I'm posting this in hopes of finding other companies that have dealt with Privacy Bee which can help me understand what they are looking for, what sort of company or business they have.  

I have contacted the individuals that they cite and the responses are along the lines of (this one is an exact quote from an email).

"you will have to ask privacy bee why their algorithm flagged you as being a potential source for my personal info"

This of course is the problem. Privacy Bee cannot be easily contacted. There is one email that I can find for them. support@privacybee.com and a contact-us page. I'm concerned that if I do that and show that they have my attention, it will trigger another set of intimidating initiatives and wild goose chases on our side.  

. I can click on a Privacy Bee link which gives me two choices: 
The problem is if the requested action is to delete records which do not exist in the first place, how should a company respond to a request to take action on the request to delete the existing records?

Does clicking that I agree somehow admit that I had such records? In this case, I do not want to agree.
Does clicking on I refuse somehow put me on record that my company refuses to support privacy?


It also shows a signed document which reads as follows

Limited Power of Attorney
 I, _______________, residing at ________________________________, appoint Privacy Bee, LLC, a Wyoming Limited Liability Company, as my authorized agent (attorney-in-fact) to act for me in any lawful way with respect to the matter described below. This Limited Power of Attorney is granted only to the extent necessary for my authorized agent to submit requests under the California Consumer Privacy Act, General Data Protection Regulation, Australian Privacy Act, or other relevant privacy legislation (the “Privacy Laws”), to any organization governed by the Privacy Laws, which grants consumers certain rights to request access to personal information (as defined in the Privacy Laws), to obtain copies of the personal information, to request the deletion of the personal information, and to opt-out of the sale of the personal information. By this power of attorney, I authorize my agent named above to submit a request on my behalf, under the Privacy Laws, for access, deletion, and opt-out from organizations that must comply with applicable Privacy Laws. I agree and acknowledge that my authorized agent may withdraw from this limited representation at its sole discretion. I further agree and acknowledge that this Limited Power of Attorney will terminate automatically, with respect to any particular organization to which my rights under the Privacy Laws are being exercised, once the authorized agent submits a request under the Privacy Law to the particular organization. I further agree and acknowledge that this Limited Power of Attorney will terminate automatically upon any legal actions taken by me, my authorized agent, or any third party (e.g., an organization to which a submission under the Privacy Laws is being made) associated with the purpose of this Limited Power of Attorney. 

 

-----Original Message-----

From: Privacy Bee <companies@mail.privacybee.com>

Sent:  date, 2020  

To: "MY COMPANY" <emails@ "MY COMPANY">

Subject: Urgent Followup: Legal Request for Data Deletion and Opt-Out of Resale [Request ID: xyz]

Concerns:  "MY COMPANY"

Request ID: xyz

Signed Power of Attorney: Yes

Request Date: November 2020

Respond At: https://app.privacybee.com/request/xyz

To Data Protection Officer or Legal Counsel:

I am hereby submitting a follow-up to a personal data request pursuant to Section 1798.105 of CCPA (SB-1121), Article 17 of GDPR, Nevada SB-220, New Hampshire HB 1680-FN, Washington Privacy SB-5376, Illinois DTPA SB2330, New York S5462, Hawaii SB 418, North Dakota HB 1485, Massachusetts S-120, Maryland SB 613, Texas Privacy Protection Act HB 4390, or other applicable right-to-be-forgotten legislation. If you feel my data is exempt from privacy legislation for any reason, I'm still asking you to respect my wishes regardless, as I believe privacy is a universal human right and I'm hopeful the integrity of your organization will honor my request with or without legal requisite.

The initial request was sent <time and date> UTC and I still have not received a response that my request has been fulfilled.  This is a reminder that you only have 5 days left to respond!

Specifically for  "MY COMPANY":

- Data Deletion: I hereby request the immediate and complete purging of any and all information your company has on me including but not limited to: user accounts, marketing data, transaction data, behavioral data, social data, CRM records, or absolutely anything that that contains my personal information.

- No Dissemination: if any information is being or has been disclosed, resold, licensed, rented, or otherwise disseminated by your company to third parties, I hereby request to opt-out of that data sharing, and request you communicate this request for opt-out and deletion to those entities as well.

If I have given consent to the processing of my personal data (e.g. according to Article 6(1) or Article 9(2) GDPR, or other applicable legislation), I am hereby withdrawing said consent. In addition, I am objecting to the processing of personal data concerning me (which includes profiling).

As I’m legally permitted, please confirm your compliance of my request without undue delay and in any event within one month of receipt of this request.

I am including the following information necessary to identify me:

Name: 
Primary Email:
Primary Phone: xxx  (Mobile)
Secondary Phone: yyy (Home)
Primary Address: specific home address
Birthday: Detailed date of birth

If you require additional information to resolve my identity, to view my signed Power of Attorney authorizing this request, or to respond to this request, please visit: https://app.privacybee.com/request/xyz

If you do not answer my request within the stated period, I and my legal privacy advocate, Privacy Bee, are reserving the right to take legal action against "MY COMPANY" and to lodge a complaint with the responsible supervisory authority.

Thank you.

This request was submitted by and tracked by Privacy Bee (privacybee.com).

 Route::get('request_followup', [TestEmailController::class, 'request_followup']);

 

In reviewing Privacy Bee's Terms of Service, I note that they are NOT a law firm.
2.3 No Legal Representation. We do not offer legal representation, nor do we offer any legal advice, legal opinions, recommendations, referrals, or counseling. 

Their business model seems to be a subscription service of sorts:

4. Fees and Payment.

You agree to pay fees (the “Fees”) for the Services on a monthly basis (the “Subscription”), in advance, in the amounts set forth in our price list for the Services in effect at the time of payment. The Fees applicable to you are set forth when you sign up for your Account, and may be amended by us, from time to time, in our sole discretion and with advance notice to you. By signing up for the Services, you expressly authorize us to withdraw funds from your bank account and/or charge your payment card (as applicable) for the full amount of the Fees. Since the Services are on-going and are subject to recurring payments, you expressly authorize us to withdraw funds from your bank account and/or charge your payment card on a recurring basis until you affirmatively cancel, remove or stop your use of the Services. You may be provided with the option to prepay Fees in advance on a quarterly or annual basis, in which event we may offer a discount or other incentive to you. All Fees paid by you for, via, or in connection with the Services are final and are non-refundable. You understand that the fees you pay to the Company for the Services are associated with the attempt to exercise your rights under the CCPA, and not for the guarantee of results associated therewith.

They claim extensive rights to any info their subscribers provide them. 

7.3 User Content. You hereby grant to us a royalty-free, fully paid-up, sublicensable, transferable, perpetual, irrevocable, non-exclusive, worldwide license to use, copy, modify, create derivative works of, display, perform, publish and distribute, in any form, medium or manner, any text, information, data, materials, images, or other content you provide to us using the Services or submit or post to the Site and that is not Feedback owned by us (the “User Content”). You represent and warrant that: (a) you own the User Content or have the right to grant the rights and licenses in these Terms, and (b) the User Content and use by us of the User Content as licensed herein does not and will not violate, misappropriate or infringe on the rights of any third party. We may remove any User Content from the Site for any reason at our discretion.

In the Privacy Bee privacy agreement they both say that they don't sell (unclear if they license) personal data and won't without some sort of opt out first.  And I quote:

  1. For more details about the personal information we have collected over the last 12 months, including the categories of sources, please see Section 3 “How We Use Your Information” above. We collect this information for the business and commercial purposes described in Section 4 “How We Share and Disclose Your Information” above. We share this information with the categories of third parties described in Section 4 “How We Share and Disclose Your Information” above. We do not sell (as such term is defined in the CCPA) the Personal Information we collect (and will not sell it without providing a right to opt out). Please note that we do use third-party cookies for our advertising purposes as further described in Section 4 “How We Share and Disclose Your Information” above.


Wednesday, October 21, 2020

User Experience Design: Card Sorting

 Today I learned a new user experience (UIX) design technique. It's for organizing different topics into a few top level menus.  In the simplest form, there's closed card sorting. 

It starts by creating a card for each topic that the site is going to cover.  

With closed card sorting, a set of cards are given to different potential users along with a few pieces of papers with a topic on them, and the users are asked to sort the cards onto the pages based on the topic where it best fits. This gives guidance to site designers as to where to put topics in terms of where the users expect to find them.

Surprise! The Visitors Think About
Topics Differently Than the Professionals.
So Whose View to Use?

Open Card Sorting. To get more pure user feedback on how they visualize topics and categories, the cards can be given to users who put them in piles based on the categories that they imagine they should be organized along. This can reveal a more genuine sense of the mental maps with which users approach the relevant topics. It can also be overwhelming to users and in many cases, produces haphazard sets of logic that users turn to when they get frustrated and just want the exercise to end.  

A purer sort might be to give the users a blank set of cards and a few pieces of paper, tell them what the site is about, and ask them to put a major topic on each of a few pieces of paper, and then name and organize the cards. This system does not have a name that I am aware of.

It's easy for these techniques to get out of hand. It's important to remember that they are techniques to reveal the mental maps that people approach a topic with.  But the site designer, through careful wording, should be creating navigation and topics that steers users down paths that support the goal of the website.  Websites are not libraries or wikis where users are expected to freely browse and learn. Websites usually have a purpose and while knowing the mental maps with which users might first approach the site is useful, it does not necessarily dictate how the site should present its experience. 

Stay tuned or an example which illustrates these choices...