Saturday, March 14, 2009

Your Texts Could Be Out There!

A Tweet turned me on to Skydeck. Skydeck is a web service that gets between your phone and the network and allows you to manage your voicemail, your texts, and your contacts all from your desktop browser. From reading the help pages, it seems Skydeck does this by
a) becoming the voicemail system for your phone. That is easy enough, the GSM standard explictly allows phones to tell the network which number to call for voicemail.
b) installing a little application on your phone that syncs your text messages on your phone with their servers or, if you do not have the right kind of phone for that, asks you for your name and password to log into your cell-phone operator (aka Mobile Network Operator [MNO]) and sync their servers with your account data and text log
c) wil spoof Caller-ID and SMS ID to display your phone number when you use their web application to make calls and respond to texts instead of your own phone.

This sounded great to me. I am behind a computer at least 8 hours every working day and always actually more, and communicate mostly through texts and VoIP. It would be great to finally integrate the two comms devices I use most, and have a big keyboard for my texts and a big window to manage them in, and read transcripts from my voicemail, and just use my computer to handle calls without switching headsets and everything.

My next thought was that this would totally be the way to go in ten years when mobile coverage is synonymous with high-speed data coverage: no need for software on the phone itself besides a browser and codecs for voice: all of the phone's SMS and voicemail and calling and phone book and calendars would be done by the servers on the network, not the always-memory-starved device. Handsets would become dumb terminals with great screens because you could save on all other components, with user interfaces and software that would simply be upgraded just by updating the web application on the operator side, and all the applications and toys and games and data would be made of little software components of which you can choose whether they lived on your dumb-client handset or the big servers on the network or both and stayed synced, and whichever computer with a browser you walked up to would be also be your full phone. Awesome! I wish I had Skydeck in the UK now.

And then I went through my log of texts I have received -- well, my Inbox -- that my little N73 will gladly keep letting grow for as long as it has memory left. (Which is also why an N73 gets dog slow in opening a new text after a year, unless you clear the Inbox out.) And yes, it was filled with 140 characters or more of jokes, thoughts, business ideas, obscenities, sarcasm, flirts, insults, meetings, fury, navel gazing (hey, I Twitter), and outright hardcore sex that well-rounded adults with an over-reliance on their phones would receive. And I wondered: does this really need to be on a 3d party server?

Well, first of all, would I even be allowed to use their service? Let me translate Skydeck's Terms Of Service into English:
You agree not to do any of the following while using or accessing the Site, Content, Services, Your Data or Skydeck Reports:

Post, publish, or transmit any text, graphics, or material that:
You can not send texts using Skydeck that
(i) is false or misleading;
i) contain a lame excuse (a.k.a. a lie) about why you are or were or will be late or will not show up;
(ii) is defamatory;
ii) describes someone as a ho;
(iii) invades another’s privacy;
iii) describes exactly why that someone is a ho and how many were involved;
(iv) is obscene, pornographic, or offensive;
iv) describes exactly what that ho did;
(v) promotes bigotry, racism, hatred, or harm against any individual or group;
v) includes a reference to a blonde joke, or the whole joke, relevant to that ho;
(vi) infringes another’s rights, including any intellectual property rights; or
vi) describes how stupid the ho's latest idea for a new kind of mobile sex chat web service was;
(vii) violates, or encourages any conduct that would violate, any applicable law or regulation or would give rise to civil liability;
vii) well, no, that would be awful, I am glad none of my texts ever do that.

In other words, Skydeck doesn't want any normal humans to use their service for what they actually text. Especially anyone between the ages of 7 to 50, but I bet this generation won't grow out of calling people ho's after we turn 50.

But still, suppose we break these Terms Of Service, which I guarantee you 99% of Skydeck's subs using their text facilities already have done. Facebook has already brought home for the most people that Internetting your non-work life -- not even your private life, but just what you do outside work -- can kill your reputation. Oops you were drunk on camera once and a friend uploaded it, and now the Internet will a) never forget b) let anyone find out by entering your name. Blogs suddenly also blurred the boundaries between having an opinion and getting fired for it because your employer thought it would make them look bad. There are real repercussions to uploading your life to the cloud. (Meanwhile, the cloud is also capable of forgetting exactly what you wanted to keep. It's never fair.)

What I have put up on the Internet in my younger more naive days is bad enough, if my text logs for any reason would become public I would be simply mortified. Skydeck has a privacy policy and a security policy and writes about how they are so aware that they need you to trust them. Most of their security policy is bog-standard baseline stuff that any website that needs a password to access it should do, but there is one place where they go the extra mile: Skydeck claims all your data on their servers is encrypted. I hope that means the data of the account holder is encrypted with the password of the account holder so that all accounts are encrypted independent of each other, and not that all account data is encrypted with the same key, because that would still create a single point of vulnerability. But their privacy policy is clear: Skydeck will give your email address and your other data to 3d party service providers (calling out mailing list administrators as an example) and warns that your data could be hosted on any server in the world. They're therefore really open about the fact that an awful lot of companies that are not Skydeck -- and in my opinion 'an awful lot' is more than 0 -- will be entrusted with some or all parts of the data. Skydeck is not specific here, and every extra company is an extra vulnerability. They do say that the account holder gets to say whether another company gets access to the data or not, but that means that not only do we need to trust Skydeck -- about which we know very little -- we now have to make trust decisions about 3d party start-ups as well, with very little information, except their privacy policies. Policies which are non-binding, by the way.

Skydeck even makes the unfortunate claim that
we treat your cell phone records with the same respect that your bank treats your financial records.
Banks in the US and UK have recently been found to have made public the personal of how many account holders? By losing tapes and not shredding papers? Banks are not your golden standard for privacy, people!

Neither the security nor privacy policy has any teeth. Skydeck is not willing to put anything on the line here for you, not making any guarantees, just setting their own limits of liability (and they seem to be capped at $20). Seriously, go through your text logs and wonder how many of those you want the world to be able to read. Most of you will be ok, but many many of you would be toast. Red-faced, I-need-to-move-and-change-my-name toast. I can't think of a jucier target for hardcore lulz than those servers once Skydeck and their competitors takes off.

When I mentioned this in my first Tweet response, I was told, well, Skydeck isn't doing anything more your MNOs would or are doing. Well, actually, no, that's not true. MNOs are under stringent FCC and FTC regulations. And from the regulatory point of view in the USA, a text is a private as a phone call. AT&T is not allowed to just record your call, and T-Mobile is not allowed to start mining your voice-mails for data beyond what they need to keep their network running. If any of those companies wants to listen in or share any part of the content of these communications, they need legal papers. When AT&T got caught recording customer calls to hand over to the a legitimate government security organization, court cases and legal debates ensued and a law had to be specifically passed to clear the network operator of guilt (which up to that law they were swimming in). When I worked at an MVNO I came up with a service that would keep our subscribers safer by having our computers monitor their texts. When I presented it Legal said basically NFW, it would mean we were eavesdropping on our own subscriber's conversations and we could not legally do that. Being an operator comes with being in a framework that has real teeth to create real protections for consumers. Skydeck can go get and store your stuff because you give them permission to act as your agent, yet since they are not an operator, they are not in the regulatory framework of phone privacy set and enforced by the FCC (but still, are they allowed to store texts other people sent to you? That's different from you giving them permission to store the texts you write). It's like your email provider. Google says they are keeping my mail safe too, but geezus, man, what if they don't? And I know they are mining it, they are quite open about it. Meanwhile the postal mail has its own policing environment to enforce nobody but you reads your mail or tries to defraud you. Should we really not think a little more about these things before we click yes?

This hit home for me when the blogging network I was on which I made many sexy gossipy angry lulzy entries, stringently protected to be for my best friends' eyes only, suddenly got bought by a company outside the US in a politically dicey environment. This new company has no legal obligation to enforce the privacy controls I signed up for. Of course they didn't switch them off, they are not stupid, but I realized then that the trust relationship I entered 6 years ago with a scrappy start-up is not the same I am continuing with another company far away run by who knows who. Skydeck promises that if they get bought or go bankrupt they will give you time to delete your account, which again puts them ahead of many Terms of Service documents out there, but that is all: they do not say how much time is enough time, and the terms really have no teeth, especially if they go bankrupt. Your data is on their servers, and if they think 2 hours is enough time, two hours between their email going out and making all your texts public is all the time they need to take. Yes, this is an unrealistic and absurd scenario. And I doubt Skydeck will be the company where this chain of event happens. But the absurd happens, so it will, to some server where you have entrusted your private data, sooner or later as we migrate more and more to having lives on and off the cloud. It's gonna be messy.