Privacy
In her post Harvesting data from children with cuddly creatures and cutesy keyboards, Denise Howell articulates some of her concerns with the Build-A-Bear Workshop data collection process.
Within the last couple of months each of my kids has been to Build-A-Bear to purchase a stuffed friend. The store itself is largely innocuous (albeit often filled with loud, poorly mannered kids), and I took great pleasure watching my kids select and prepare their new friend. The process is extremely kid-friendly, and my girls really enjoyed all of the ceremony that goes into the creation of the animal. Kudos to the employees who make the experience so much fun for the kids -- I'd be cranky and ill-tempered after my first customer were I to work there!
I agree wholeheartedly with Ms. Howell's observations about data collection, though. When I sat down with my girls to fill out the birth certificate on the brightly colored computer terminal, I immediately cautioned them not to supply too much personally identifiable information. "Why not?" they each asked. "First, because they don't need this much information in order to sell you a bear. Second, because they're likely to use this information to send advertisements to you in order to get you to buy more stuff." The girls accepted my explanation, and filled out only the essential information. We withheld our last name, as well as our address (and I think our phone number, too). Although the kids have email addresses, Build-A-Bear workshop has no business knowing what those email addresses are. Upon completion of the transaction, I did read the privacy policy. Like Ms. Howell, I found nothing particularly out of line -- it was a fairly standard privacy policy.
The kids have long watched me refuse to divulge my personal information when shopping at brick-and-mortar stores. More and more stores are asking for more than just my zip code these days: they're asking for phone numbers, email addresses, and home addresses. All of these I refuse to supply whenever possible, and I've been known to abandon a purchase if the clerk tries to insist that the information is required to complete the sale.
I continue to be surprised just how often we, as a people, are asked to share our personal details for no particularly good reason. Monday morning, as we loafed around the house enjoying the holiday, we received a phone call from the Neilson Group. I was asked if I could spare five minutes to answer a few questions. "Sure," I replied, knowing full well that I would skew their demographic information, since we have neither cable nor satellite and we watch zero broadcast TV. The interview started off easy enough: "When you answered the phone this morning, how many televisions were on?" (none) "How many televisions do you own?" (two) I answered the questions about how many people lived in the house, and what age brackets they comprised. When asked if I had an email address I replied simply "Yes." The woman conducting the call asked if she could have it, to which I replied flatly "No." She seemed stymied by this, as though she wasn't sure how to proceed with the interview. A few additional questions were asked and answered, again because they revealed nothing terribly personal. Then the woman asked for my home address. I wasn't sure why they wanted my home address, and I failed to interrogate her as to why she was asking for this. I simply denied her request. This rejection, it seemed, she was better prepared to accept, and moved on to asking me for my zip code instead. A few additional questions were asked and answered and then the interview was finished.
I hope that I can continue to impart onto my kids how important it is to be cautious about giving out our personal details; and I hope that they learn the lesson. Moreover, I hope that we as a people can make strides toward better understanding what information is actually necessary for various transactions, and that the retailers and businesses of the country can start better respecting our privacy.
RFID Passports
I got my new passport today. I renewed my passport about a year ago, and promptly lost it. When moving to our new house, I thought that I'd find it, but had no such luck. So I reported my old one lost, and applied for a new one. It arrived today.
This new passport says "Contains Sensitive Electronics". I assume this means that it contains an RFID chip. I am casually aware of some of the problems with RFID-equipped passports: Bruce Schneier on RFID passports and Bruce Schneier on RFID passport Security are good starting points. Delivery agents snarfing RFID passport contents was a new one for me. Hopefully no one in the post office is actively reading RFID-equipped passports before delivering them.
According to Wikipedia, RFID-equipped passports have a thin metal sheath, ostensibly to protect the data from being acquired from afar. Bruce Schneier suggests that a two factor authentication process will be used to decode the contents of the RFID data. Each of those is marginally reassuring, but as one commenter observed, DVDs are encrypted, too, and that hasn't kept their contents safe.
There exist a number of passport wallets which claim to block the radio frequency used to access the data on them. Magellan's, Identity Stronghold, and DIRFWEAR are just a few.
My question is: how can one easily test whether any of these products actually work to protect my passport? I don't want to become a ham radio operator in order to know that my passport is protected. Are there easy means for a layperson to verifiably protect their RFID-equipped passport? Do any of the passport wallets linked above actually work?
