A German politician named Malte Spitz sued his mobile provider (Deutsche Telekom) for access to all the information they were storing on him. When they released the information to him he published six months of calls, texts and Internet usage on an interactive map. German law has since improved its privacy.

Meanwhile, other countries, including the United States, still track users via mobile phones as well as wireless accessories (e.g. BlueToad). Here is an example of what it looked like on Spitz’s map:

Deutsche Welle just posted an interesting interview with him.

Yes, it was quite shocking to see 35,000 pieces of information about my past six months. And it was also so detailed that there was some information where I was at some events that I didn’t even remember. So seeing the interactive visualization, I remembered: ‘Oh yeah, this was the day I was here and there, and so on.’

It was quite shocking because I thought it would be maybe 5,000 pieces of information. But 35,000 pieces of information, when you break it down, that means each day, there are 200 pieces of information. So if you have five to seven hours of sleeping time, so you have like, between the morning and evening, you have maybe 150 pieces of information – every five to 10 minutes my mobile operator knows where I am.

Gareth Rees posted an amusing and detailed review of encapsulation failures, in the context of mobile game apps.

When objects interact with each other, the outcome of events can depend on the properties of several objects. For example, when two objects collide the result depends on the properties of both objects. Consider collisions in a game with bullets, people, and tanks:

• Bullet/bullet: both unaffected (treat as if they didn’t collide).
• Bullet/tank: bullet ricochets, tank unaffected.
• Bullet/person: bullet vanishes, person damaged.
• Tank/tank: both tanks stop.
• Tank/person: person stops, tank unaffected.
• Person/person: both people stop.

You can coerce this kind of table of interactions into the straightjacket of single-dispatch method calls, but the results are pretty ugly however you do it. (It’s no coincidence that the main motivating example in Wikipedia’s multiple dispatch article is collision resolution.)

But there are more subtle examples where the naïve approach goes wrong.

Many moons ago, 1991 to be exact, I found Ivar being installed in Macintosh labs. It was an extension to System 6 that gave remote control of the audio. The attacker had to use a fake “bomb” prompt to get users to restart their system and load the extension (a camouflaged opt-in method), but otherwise it was a silent and easy way to listen and even speak to remote users without them knowing.

I treated it as malware and removed it, but lets just say it also was great for practical jokes.

“This is your computer speaking…I need a break! Please shut me down.”

This WEEK in TECH (TWiT) now reports similar surveillance “apps” for smart phones have been found in the wild. Today, however, it is no laughing matter as apps are developed and driven by large marketing companies who intend to surreptitiously collect as much information as possible because (ironically) they don’t really know who they are dealing with.

Robert Scoble …it actually is listening to the audio, it’s not recording audio but it’s recording a fingerprint of the audio signature of the room.

Becky Worley What?

Robert Scoble So you can tell. Yeah here is why they’re doing that. He says that what we’re trying to do is make it possible for a lot people to go to, let’s say, a Lady Gaga concert and all these shooting pictures will know where the performer is because everybody is aiming at the same place and we’re listening to the audio signature of the room to join everybody into a one Color space and they expect to be able to show you why the closest picture that’s being taken of that event.

Leo Laporte Oh that’s interesting.

Robert Scoble So if somebody is in the front row, the big people in the back row will see pictures that the front row is shooting.

Leo Laporte What do you think of the argument that that is all a red herring and that really the reason they got $41 million is because they figured out a way to collect all sorts of info – it really scares me that they got the mic on, all sorts of information about their users which they will be able to sell, I mean it’s – there’s no sense in the $41 million unless you assume they are up to something clever.

That’s a lot of lettuce just to spy on random people. I wonder if the Shazam app developers are double-checking their ethics.

The TWiT team clearly object to the opt-out surveillance of these new apps; they even call it a flaw in Apple security! Heh, well, users are choosing to download and install them. Unlike the Ivar extension, where we had to infiltrate a system the old fashioned way, surveillance now is being engineered as a service — bundled with a giant carrot.

Leo Laporte I have to tell you I – as soon as I thought about it for half a minute I erased Color immediately and I would recommend anybody who listens this show to immediately erase that program.

Brian Brushwood Nobody under 25 will hear that advice, that’s…

Leo Laporte Because there is a – now that I know that it’s also doing sound analysis, that really creeps me out. This is a real flaw in Apple’s permissions system, at no point where we informed that this program was turning on the microphone. I don’t care if they say they’re not using it they’re turning on the microphone in my phone and they never told me that. That’s bad news.

Robert Scoble Well I told you on my show on Thursday.

Becky Worley They didn’t tell me that when I downloaded the Grey’s Anatomy iPad app.

Leo Laporte What? It listens to YouTube?

Becky Worley It listens to the TV to figure out where it is in the show so that it can sync, it simulcast of iPad information to where you are in the show.

Brian Brushwood Wow.

Ok, this is where I put on my giant hat of contrariness.

I predict people under 25 not only anticipate this better than those who are over 25, they already have more natural countermeasures from growing up within the system.

Humans have a natural instinct for freedom of thought. It is nonsense to suggest that those under 25 lack the desire to resist authority.

Those who are raised under a constant surveillance threat will more easily adopt methods like phone swapping, temporariness, and sharing. They will intentionally break the bonds of information that older generations have a hard time protecting or letting go.

In other words, the first generation to taste the surveillance carrots probably will see something worth the trade-off in privacy — even if it is just to do something cool and new and different. Subsequent generations will not be so easily fooled.

The new data is in. When I presented for the PCI Security Alliance and SafeNet at RSA in 2009 I used breach data in datalossdb.org to show that PCI DSS was working and we could prove it.

The following two reports explain this trend in much greater detail. I will handle them individually later, but for now here are a couple highlights:

Verizon has posted the “2011 Data Breach Investigations Report”

After four years of increasing losses culminating in 2008’s record-setting 361 million, we speculated whether 2009’s drop to 144 million was a fluke or a sign of things to come. 2010’s total of less than four million compromised records seems to suggest it was a sign.

Imperva has posted “PCI’s Impact on Security Quantified”

PCI is very effective in reducing breaches but it seems many companies don’t believe it.