JordonCooper Rotating Header Image

Life in the cloud

As SaskTel winds down CDMA coverage in Saskatchewan, I need to upgrade Mark’s cell phone (a LG Rumor 2) that he loves.  He is on a cheap pre-paid plan with Virgin that I don’t want to upgrade or add data so I will keep with a feature phone, probably a LG Rumor Plus or a Samsung Gravity 3.  It’s talk, text, and email which is really all Mark needs right now.

I have been thinking about what I need ever since RIM’s network when down last summer.  This is how I am thinking.  I had a Blackberry Curve 8530 and like a lot of smartphone users, I have everything flowing through that phone.

  • Two email accounts
  • Blackberry Messenger
  • Text
  • Twitter
  • Flickr (which never worked on the phone)
  • Dropbox so I could send and receive files
  • The Score Mobile App (I have a problem okay)
  • MySask411 which replaced my phone book

I got a fair amount of work done and even wrote a couple of columns with it.  It worked really well for me until that outage.  When Blackberry went down, so did my phone.  I couldn’t get calls, I couldn’t even connect to a Wifi network.  My phone was essentially a brick that I carried around and hoped would return.  While it wasn’t the reason I switched a Samsung Galaxy Ace over Christmas (the cost of the new Curve’s were high on Koodo and didn’t seem to offer a lot more capability as well as my general lack of faith in the Blackberry platform) I essentially swapped out RIM for being totally dependent on Google and this week I had an uncomfortable realization about how totally dependent I am on Google.

I was one of the first bunch of Gmail users way back in 2004, back in the days where invites were limited to five per person and where actually being sold for money.  I got one, used my five invites on Wendy and some friends.  Gmail was so new and fresh it had that new email smell to it.  It served me well until this year when I got a notice that my email had been accessed by someone using an IP address from  Serbia.  It was really unsettling because as I had a decent password and changed it periodically.  Having not travelled to Serbia recently (or ever) the idea that I had been hacked was a horrible one.

As for my ID, you have your drivers license, your passport, your Saskatchewan Health Card, your Social Insurance Number but my email is just as big of a part of my ID as anything.  I have used it to sign up for Flickr, YouTube, Twitter, PayPal, even my bank and credit card uses it to communicate with me.  While I am careful, having everything exposed was not that pleasant and it resulted in new credit cards being issues, new passwords, and really all new everything.

Shortly after that I had a huge problem with email.  Emails were missing and there was about a 1500 email hole from about a year before that I discovered.  I wasn’t the only one that has had this happen to me.  The Gmail help forums are full of users that have lost thousands of emails and no one really knows why.

Since then there is someone that I will email periodically at The StarPhoenix that occasionally doesn’t acknowledge the email.  I am the same way so I never thought of it until Friday when I got a call from my editor to see why I never filed my column except I did on Wednesday.  I resent the column and it appeared.  It’s the second time it happened but I have long had these sneaking suspicions that it was a problem with the @thestarphoenix.com domain.  I checked the Gmail help forum and it tells me that I need to check with the domain name that wasn’t getting my email as they are of course faultless.  Of course the email was never received.

This isn’t the first time this happened.  A friend used to work at USA Today.  An email I sent him took a full year one time to show up.  I was working somewhere else and using their email (which was served up on Dreamhost) was the only server they ever had a problem with and then only sometimes.  It has happened to me before from SaskTel where an email just hung out for month before being delivered.  It happens but how do you know it happens.  I never got a bounce message in any of those situations so I assumed (incorrectly) that it had gone through.  Maybe we need to downgrade to Eudora 3 and start sending read receipts again.

So on Friday, my email was down, my cell phone was acting erratic (I think the problem was Koodo) and I realize that when things go down, they really go down.   What can you do about it?

Gmail

Leaving Gmail is really hard because I think we underestimate how much spam and email that we get and I really don’t want that to make it to my phone.  I know SaskTel has web access but so many friends of mine have had their email account become totally full after a couple of days that it is pointless if you are a heavy email user.   I can set up a 500mb account for myself on Dreamhost but I get thousands of spam a day and Gmail handles it better than anyone else.  I am in the process of putting coop AT jordoncooper.com to rest which will cut back on some of the spam but it’s a big problem when you are have old email accounts.  There are a lot of things that still use it, including some that I am sure I don’t remember but will need someday.

As Wired Magazine published yesterday, Gmail has a pretty big security hole in it.

But since Gmail added OAuth support in March 2010, an increasing number of startups are asking for a perpetual, silent window into your inbox.

I’m concerned OAuth, while hugely convenient for both developers and users, may be paving the way for an inevitable privacy meltdown.

For most of the last decade, alpha geeks railed against “the password anti-pattern,” the common practice for web apps to prompt for your password to a third-party, usually to scrape your e-mail address book to find friends on a social network. It was insecure and dangerous, effectively training users how to be phished.

The solution was OAuth, an open standard that lets you grant permission for one service to connect to another without ever exposing your username or password. Instead of passwords getting passed around, services are issued a token they can use to connect on your behalf.

If you’ve ever granted permission for a service to use your Twitter, Facebook, or Google account, you’ve used OAuth.

This was a radical improvement. It’s easier for users, taking a couple of clicks to authorize accounts, and passwords are never sent insecurely or stored by services who shouldn’t have them. And developers never have to worry about storing or transmitting private passwords.

But this convenience creates a new risk. It’s training people not to care.

It’s so simple and pervasive that even savvy users have no issue letting dozens of new services access their various accounts.

I’m as guilty as anyone, with 49 apps connected to my Google account, 80 to Twitter, and over 120 connected to Facebook. Others are more extreme. Samuel Cole, a developer at Kickstarter, authorized 148 apps to use his Twitter account. NYC entrepreneur Anil Dash counted 88 apps using his Google account, with nine granted access to Gmail.

This is where it gets nerve wracking.

You may trust Google to keep your email safe, but do you trust a three-month-old Y Combinator-funded startup created by three college kids? Or a side project from an engineer working in his 20 percent time? How about a disgruntled or curious employee of one of these third-party services?

Any of these services becomes the weakest link to access the e-mail for thousands of users. If one’s hacked or the list of tokens leaked, everyone who ever used that service risks exposing his complete Gmail archive.

The scariest thing? If the third-party service doesn’t discover the hack or chooses not to invalidate its tokens, you may never know you’re exposed.

The reliability isn’t just a Gmail issue but most of us switched to Gmail because it was run by Google and we never thought that we would have these issues. 

The other issue with Google is that even though they post an Apps Dashboard to let you know how things are going, this is a multi-billion dollar company with no way to contact them unless you are a large customer.  I have had Gmail down and nothing shows up on the Dashboard so it has to be a big outage to report it.  That’s fine if you are affected with others but if you are not part of a giant collective of frustrated Gmail users losing control on Twitter, what recourse do you have.  Google tells you to that they look at help forums but there are thousands of unresolved issues, some that go on for a long time.  This isn’t unique to Google, a friend had a nightmare in getting locked out of his Twitter account because of a Twitter database error.  It look a couple of months to resolve and that was even after it’s CEO got involved.  At least you can contact Dick Costello, who do you contact anymore at Google?

Google Contacts

I download and backup periodically my contacts for a couple of reasons, I need to keep them sync’d across my two accounts (one for work, the other one is personal).  They are also sync’d on my iPod Touch, iPad, and Android phone.  Of course I just read on Kottke this week that stealing your address book among iPhone developers is quite common.

It’s not really a secret, per se, but there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies likely have your address book stored in their database. Obviously, there are lots of awesome things apps can do with this data to vastly improve user experience. But it is also a breach of trust and an invasion of privacy.

I did a quick survey of 15 developers of popular iOS apps, and 13 of them told me they have a contacts database with millons of records. One company’s database has Mark Zuckerberg’s cell phone number, Larry Ellison’s home phone number and Bill Gates’ cell phone number. This data is not meant to be public, and people have an expectation of privacy with respect to their contacts.

So while I am giving all of my contact information to Google intentionally, I (and so are most of you) am un-intentionally  giving up your contact information to developers (sorry about that) which is one of the reasons why there is so much spam in this world.  Thanks Apple.  So even if Google is protecting our private information, as soon as we sync it with our iPhone or iPad, it is compromised.

This brings up my next issue, which phone vendor can we trust? Apple allows people to download your most private of personal information, Google controls and ties it all together in an Android phone, with Blackberry you just have a crappy phone experience and does anyone expect Windows 7 Phone to be any better.  RIM has better security but isn’t able to deliver on their phones.

I was talking to a businessman who has been tied to his phone since AGT came out with the Aurora (such old technology, Google doesn’t even know about it) and he said to me the other day that he was willing to ditch his smart phone and go back to a flip phone (or a feature phone so he could text his kids).  His company email server was down and he couldn’t do “anything” and was frustrated in the same way we all get frustrated.  He said with a regular cell phone, when it went down, all it did was affect his phone calls.  Now when his smartphone isn’t working, it affects everything.  He was actually in the process of heading to Midtown Mall and purchase a cheap phone so as he put it, at “least I can call someone”.  In some ways as I looked at a Nokia C1 by Fido today I wondered if this may be what I really want, an update to the Nokia 1100 which is still the world’s most popular phone.

Koodo

Koodo’s cellular service is okay here in Saskatoon.  They use Telus’ network and do a not bad job of staying active.  I find that when SaskTel is having problems, so is Telus/Koodo which makes me feel somewhat better but not a lot.  In other words when I get no service at my house, neither does anyone else using SaskTel, Telus, or Virgin.  When Koodo’s network is acting up, I can tell by looking at my phone when something is wrong.  My Foursquare check-in options revolve around Carlton University’s campus, my network says Telus or even SaskTel instead of Koodo, and my calls drop more than they should.  Wireless is defined by it’s Ready, Shoot, Aim background and we shouldn’t be surprised with it’s technical difficulties considering the rate that technology is changing but more and more I keep wondering if a step back may be order and evaluate if I want all of my personal information being in a platform that is so easily exploited. 

Even if you can trust them now, can you trust them in the future.  Google’s recent privacy changes spooked millions and may have launched a competitor in Duck, Duck, Go.  These aren’t new concerns as I remember AKMA struggling with how much he should trust Flickr years ago.

I could come off the cloud but that is a lot easier said than done.  I could use Thunderbird for email and contacts and Lightning as a calendar.  I could use Dreamhost’s IMAP server, keep my email off my phone, and ditch my iPad, or at least not sync up information with it.  It can be done but it is a very different 1998 era web that I don’t think I want to go back to either.

When you think of the information you have in your Gmail account, address book, calendar, and other apps (think of Mint and your bank app on your phone), why aren’t we either demanding more security or at least taking steps to protect ourselves.  I know RIM’s the most secure but their phones are terrible right now.  I wonder if the next thing in wireless will not just be the cool apps but the cool apps that protect your data because right now my data isn’t feeling all that safe.

2 Comments

  1. Leighton says:

    There are only two networks in Saskatchewan: Sasktel and Rogers. Virgin, Bell, Telus, and Koodo all use Sasktel’s hardware. Fido is part of Rogers.

  2. Saskboy says:

    Very interesting and thoughtful stuff you have here.

    It makes the case that it’s entirely overwhelming to keep your contact list secure, because even if you do, just one of your friends/contacts has to make a slip to spoil your effort.

    Ideally I’d have a VPN, my own cloud, and email server. Who has that kind of time? Privacy is dead.

Leave a Reply