tag:theconversation.com,2011:/au/topics/software-companies-30380/articlesSoftware companies – The Conversation2017-05-15T20:37:53Ztag:theconversation.com,2011:article/776672017-05-15T20:37:53Z2017-05-15T20:37:53ZThe Petya ransomware attack shows how many people still don’t install software updates<figure><img src="https://images.theconversation.com/files/169396/original/file-20170515-7005-1kosyny.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">People don't want to be interrupted to update their software.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-vector/woman-working-on-internet-using-computer-553675984">irin73bal via Shutterstock.com</a></span></figcaption></figure><p>A new global ransomware attack, called “Petya” or “<a href="https://twitter.com/kaspersky/status/879749175570817024">NotPetya</a>,” <a href="https://www.wired.com/story/petya-ransomware-outbreak-eternal-blue/">exploits the same vulnerability</a> as the “WannaCry” attack back in May. As <a href="https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html">Petya spreads across Europe</a>, it’s becoming clear how few people and companies – <a href="https://www.usatoday.com/story/tech/news/2017/06/27/large-cyberattack-hits-europe-disrupts-power-grid-banks/103226268/">including major corporations</a> – actually update their software, even in the wake of major cyberattacks.</p>
<p>WannaCry <a href="https://www.washingtonpost.com/news/worldviews/wp/2017/05/15/the-era-of-cyber-disaster-may-finally-be-here/">could have been avoided</a>, or at least made much less serious, if people (and companies) kept their computer software up to date. The WannaCry attack demonstrated how <a href="https://www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html?_r=0">hundreds of thousands of computers in more than 150 countries</a> are running outdated software that leaves them vulnerable. The victims included <a href="http://pix11.com/2017/05/15/wannacry-virus-spreads-to-asia-experts-warn-of-new-wave/">Britain’s National Health Service, logistics giant FedEx, Spanish telecom powerhouse Telefonica and even the Russian Interior Ministry</a>.</p>
<p>As WannaCry spread, media outlets, technology firms and cybersecurity companies around the world <a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/">recommended people update their computer systems immediately</a> if they hadn’t already. The Petya attack targets computers that weren’t updated, despite those very clear public alerts.</p>
<p>The security flaw that allowed both attacks to occur was <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">fixed by Microsoft in March</a>. But only people who keep their computers updated were protected. Details of the flaw were <a href="https://news.vice.com/story/hackers-used-stolen-nsa-tools-to-launch-a-cyberattack-on-more-than-70-countries">revealed to the public in April by the Shadow Brokers</a>, a group of hackers who said they had stolen the information from the U.S. National Security Agency.</p>
<p>Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.</p>
<h2>Updating is a pain</h2>
<p>All people had to do to stay safe from Petya and WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their <a href="http://dx.doi.org/10.1145/2858036.2858303">experiences of installing software updates</a>.</p>
<p>Nearly half of them said they had been frustrated updating software; just 21 percent had a positive story to tell. Researchers highlighted the response of one participant who noted that Windows updates are available frequently – <a href="https://technet.microsoft.com/en-us/security/bulletins.aspx">always the second Tuesday of every month</a>, and occasionally in between those regular changes. The updates can take a long time. But even short updates can interrupt people’s regular workflow, so that study participant – and doubtless many others – avoids installing updates for “as long as possible.” </p>
<p>Some people may also be concerned that updating software <a href="https://twitter.com/__apf__/status/863961744204472322">could cause problems with programs they rely on regularly</a>. This is a particular concern for <a href="https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/9d6a8704-764f-46df-a41c-8e9d84f7f0f3/mjpg-encoded-media-type-is-not-available-for-usbuvc-webcameras-after-windows-10-version-1607-os?forum=mediafoundationdevelopment">companies with large numbers of computers</a> running specialized software.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"863961744204472322"}"></div></p>
<h2>Is it necessary?</h2>
<p>It can also be very hard to tell whether a new update is truly necessary. The software that fixed the Petya/WannaCry vulnerability came out in a regular second-Tuesday update, which may have made it seem more routine. Research tells us that <a href="http://aisel.aisnet.org/icis2014/proceedings/ISSecurity/28/">people ignore repeated security warning messages</a>. Consequently, these monthly updates may be especially easy to ignore.</p>
<p>The companies putting out the updates don’t always help much, either. Of the 18 updates Microsoft released on March 14, including the Petya/WannaCry fix, half were rated “critical,” and the rest were labeled “important.” That leaves users with little information they could use to prioritize their own updates. If, for example, it was clear that skipping a particular update would leave users vulnerable to a dangerous ransomware attack, people might agree to interrupt their work to protect themselves.</p>
<p>Even security experts struggle to prioritize. The day the fix was released, Microsoft watcher Chris Goettel <a href="https://redmondmag.com/articles/2017/03/14/march-2017-security-updates.aspx">suggested prioritizing four of the 18 updates – but not the one fixing Petya and WannaCry</a>. Security company Qualys also failed to include that specific update in its <a href="https://blog.qualys.com/laws-of-vulnerabilities/2017/03/14/massive-security-update-from-microsoft-for-march">list of the most important March updates</a>. </p>
<h2>Security pros, and everyone else</h2>
<p><iframe id="76Jwt" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/76Jwt/3/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<p>The most common recommendation is to update everything immediately. People just don’t do that, though. A 2015 survey by Google found that more than one-third of security professionals don’t keep their systems current. Only <a href="https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf">64 percent of security experts update their software automatically</a> or immediately upon being notified a new version is available. Even fewer – just 38 percent – of regular users do the same.</p>
<p>Another research project <a href="http://www.umiacs.umd.edu/%7Etdumitra/papers/OAKLAND-2015.pdf">analyzed software-update records from 8.4 million computers</a> and found that people with some expertise in computer science tend to update more quickly than nonexperts. But it’s still slow: From the time an update is released, it takes an average of 24 days before half of the computers belonging to software engineers are updated. Regular users took nearly twice as long, with 45 days passing before half of them had completed the same update.</p>
<h2>Making updates easier</h2>
<p>Experts might be quicker at updating because they understand better the potential vulnerabilities updates might fix. Therefore, they might be more willing to suffer the annoyances of interrupted work and multiple restarts. </p>
<p>Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, <a href="https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en">installs updates silently and automatically</a> – downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.</p>
<p>That’s not the right choice for all kinds of updates, though. For example, the Windows update needed to protect against the Petya/WannaCry attack requires the computer to restart. Users won’t tolerate their computers shutting down and restarting with no warning.</p>
<h2>Getting the message out</h2>
<p>So computer companies must try to convince us – and we must convince ourselves – that updates are important. My own research focuses on doing just this, by <a href="https://www.internetsociety.org/doc/can-edutainment-change-software-updating-behavior">producing and evaluating entertaining and informative videos</a> about computer security.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/muvwozXpyx4?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">An entertainment-education video about software updating produced by researchers at the University of Maryland.</span></figcaption>
</figure>
<p>In our first experiment evaluating the video, we conducted a month-long study to compare our video with an article of advice from security firm McAfee. The video was effective for more of our participants than the McAfee article was. Our video was also equally or more effective, overall, at improving people’s updating practices. Trying new approaches to teaching security behaviors such as our edutainment video, or even <a href="http://securitycartoon.com/index.php?comic=20070416&tag=malware">security comics</a>, may be a first step toward helping us stay safer online.</p>
<p><em>Editor’s note: This article was updated on June 27, 2017, to add discussion of the Petya/NotPetya ransomware attack.</em></p><img src="https://counter.theconversation.com/content/77667/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elissa Redmiles receives funding from the National Science Foundation, Facebook, and the Department of Defense. She is on the editorial board of Data4America a nonpartisan data journalism nonprofit. </span></em></p>People don’t want to endure the interruptions and inconveniences of keeping their computer software up to date. Research tells us why, and how we might fix the problem – and protect ourselves.Elissa M. Redmiles, Ph.D. Student in Computer Science, University of MarylandLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/709812017-01-12T02:12:34Z2017-01-12T02:12:34ZHow timekeeping software helps companies nickel and dime their workers<p>If you work on an hourly basis, you may not have given much thought to what happens to your hours after you log out of your workstation. You might assume those hours are simply converted into dollars and show up on your paycheck.</p>
<p>However, there are a lot of ways employers can manipulate your time using timekeeping software, some of which are legal and others highly questionable. </p>
<p><a href="http://www.bls.gov/opub/reports/minimum-wage/2015/home.htm">About 60 percent</a> of U.S. employees are paid on an hourly basis. To keep track of those hours, <a href="http://www.nationalpayrollweek.com/documents/NPW2015SurveyResults.pdf">most employers</a> use some form of electronic system. This add up to a mountain of data, so employers use software to manage that data before turning it over to payroll.</p>
<p>In collaboration with fellow researchers <a href="http://robinson.gsu.edu/profile/charlotte-alexander/">Charlotte Alexander</a> and <a href="https://www.littler.com/people/dr-zev-j-eigen">Zev Eigen</a>, I examined 13 different timekeeping software programs by reviewing software tutorials, technical support materials and promotional information. This gave us some insight into the features available through the software. Our findings were recently <a href="http://yjolt.org/when-timekeeping-software-undermines-compliance">published</a> in the Yale Journal of Law and Technology.</p>
<p>These features allow employers to alter your time in a variety of unexpected ways, which we describe below.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/YKS273dxBWE?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Timekeeping software, explained via animated gifs.</span></figcaption>
</figure>
<h2>Archaic rules</h2>
<p>First a little background on why software companies include these tools in their programs and why employers are able to take advantage of them. </p>
<p>The <a href="https://www.law.cornell.edu/cfr/text/29/part-516/subpart-A">federal regulations</a> that govern how employers manage hourly records are hopelessly outdated. They were drafted by the Department of Labor in 1987 and did not contemplate the ease and scale with which timekeeping records can be modified. </p>
<p>The recordkeeping rules were crafted around paper-based records and still refer to time “cards” and “microfilm.” As much as the old punch card machine is seared into our collective memories, most employers now use sophisticated digital systems. Employees log in and out through a computer, badge reader or smartphone. These logins are synced with the timekeeping software. The software can then make automatic changes to the time, which supervisors can review and edit.</p>
<p>This has left software makers free to compete on features that ultimately serve to disadvantage workers, with little accountability. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/152176/original/image-20170109-23453-6p7dgw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/152176/original/image-20170109-23453-6p7dgw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=184&fit=crop&dpr=1 600w, https://images.theconversation.com/files/152176/original/image-20170109-23453-6p7dgw.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=184&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/152176/original/image-20170109-23453-6p7dgw.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=184&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/152176/original/image-20170109-23453-6p7dgw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=232&fit=crop&dpr=1 754w, https://images.theconversation.com/files/152176/original/image-20170109-23453-6p7dgw.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=232&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/152176/original/image-20170109-23453-6p7dgw.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=232&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">This screenshot illustrates the process of managing employee time data.</span>
<span class="attribution"><span class="source">Screenshot from Kronos promotional materials.</span>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<h2>Rounding your time away</h2>
<p>One of the more common features we observed in software programs was known as “rounding,” in which an employee’s times <a href="https://cms.bsu.edu/-/media/www/departmentalcontent/payroll/pdfs/kronos%20rounding%20rules.pdf?la=en">are rounded to a preset increment</a> such as the nearest 15-minute mark (1:00, 1:15, etc.). </p>
<p>For example, if you log in to your work station at 8:56 a.m., the software assumes you clocked in at 9 a.m., erasing four minutes of work. (Conversely, if you log in at 9:04, the software assumes you arrived at 9, giving you a bonus of four minutes.) </p>
<p>It seems fair in theory. But when rounding interacts with employer attendance policies, it can hurt employees. You’re more likely to log in a few minutes early to avoid getting in trouble for being late. But those extra minutes are rounded away. Rounding operates like “house odds” at a casino – you might win here or there, but in the aggregate, the house always wins.</p>
<p>These minutes add up. A 5-minute loss per day adds up to 100 minutes a month per worker. If that person is working full time, those minutes may also be overtime, which federal law dictates must be paid at a 50 percent premium to the hourly rate. Multiplied across an entire workforce? That’s a lot of wages that workers don’t get to keep.</p>
<p>Surprisingly, rounding is generally allowed under existing rules. <a href="http://www.ecfr.gov/cgi-bin/text-idx?SID=4708509d72d4d1904592f9ae63c8ef24&node=se29.3.785_148&rgn=div8">It’s</a> a decades-old accommodation to employers previously forced to calculate hours manually. But there’s no good reason to permit rounding when software can calculate hours to the millisecond.</p>
<h2>Automatic break deductions</h2>
<p>Another software feature automatically deducts scheduled breaks from an employee’s hours. </p>
<p>For example, if you’re scheduled to take a 30-minute lunch break, that time can be deducted from your hours automatically, <a href="https://www.youtube.com/watch?v=GbrR1N5n7HI">regardless of your actual time records</a>. (Here’s <a href="http://www.uab.edu/images/finance/vpad/pdf/KRONOS/Autodeductlunchrulequickguide.pdf">an example</a> of an employer’s automatic break deduction setup.)</p>
<p>There is a certain efficiency in this feature, and its legality depends on the circumstances in which it is applied. But like rounding, it is structured as a form of house odds. The presumption works in the employer’s favor, and the employee usually must engage in some sort of override to be paid for a missed break – like notifying a supervisor or filling in paperwork. </p>
<h2>Supervisor ‘edits’ to employee timecards</h2>
<p>Timekeeping software is <a href="https://www.youtube.com/watch?v=7JXQnBPnVUo#t=6m57s">commonly structured</a> to <a href="https://www.youtube.com/watch?v=z2wi546dq7E#t=1m17s">give supervisors access</a> to – and the authority to modify – the timecards of employees who work for them. <a href="https://www.youtube.com/watch?v=7nCbJ8WMvUY#t=3m31s">Typically</a>, the screen lists the names of each direct report and a button allowing them to “edit” the time. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/152179/original/image-20170109-23473-4mbvim.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/152179/original/image-20170109-23473-4mbvim.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=388&fit=crop&dpr=1 600w, https://images.theconversation.com/files/152179/original/image-20170109-23473-4mbvim.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=388&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/152179/original/image-20170109-23473-4mbvim.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=388&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/152179/original/image-20170109-23473-4mbvim.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=487&fit=crop&dpr=1 754w, https://images.theconversation.com/files/152179/original/image-20170109-23473-4mbvim.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=487&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/152179/original/image-20170109-23473-4mbvim.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=487&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">An example of an interface for reviewing employee time.</span>
<span class="attribution"><a class="source" href="https://www.patriotsoftware.com/payroll/add-ons/time-attendance/">Screenshot from Patriot Software YouTube video</a>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<p>There are legitimate reasons to give supervisors access to employee time, such as to correct mistakes like a missed punch. But the list of legal reasons that would justify changes to an employee’s time is pretty short. </p>
<p>Once an employee has already worked the hours, state and/or federal law generally requires employers to pay them. Otherwise, it’s wage theft.</p>
<p>Software makers seem unconcerned by the possible misuse of the software. Instead, the software present subtle behavioral cues that could legitimize unlawful wage practices. A button labeled “edit” rather than “correct” suggests that it is okay to “edit” wages for purposes other than fixing mistakes. For example, if an employee works unauthorized overtime, a supervisor may mistakenly believe those hours can be shaved because they were unauthorized.</p>
<p>One program allowed certain users to alter hours using a slider that could be dragged forwards or backwards. The slider was <a href="https://www.tsheets.com/ways-to-track-time">advertised</a> next to a picture of a child on a slide, hinting that altering an employee’s hours is “fun.” </p>
<p>A slider is problematic from a behavioral standpoint because it allows supervisors to morally distance themselves from what they are doing. Social psychology research <a href="https://books.google.com/books?id=ro7X8HRyuEIC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false">suggests</a> that people are more likely to engage in unethical conduct when it is distanced from stealing – for example, stealing pens from the office versus taking money from petty cash. The experience of moving a slider on a screen feels very different from taking money out of an employee’s pocket. </p>
<p>Another program had a pop-up window for supervisors to review overtime hours. <a href="https://www.youtube.com/watch?v=lHPSj2Md1h4#t=25m16s">The window</a> offered three options: to pay “all,” “none” or “some” of the overtime. This is also problematic from a behavioral standpoint, because users may infer from the buttons that “some” or “none” is a reasonable option. To the contrary, wage and hour law requires employers to pay for all <a href="https://www.law.cornell.edu/uscode/text/29/207">overtime hours</a> already worked.</p>
<p>A third program had a “<a href="https://www.youtube.com/watch?v=J5VfilICLlk">carry forward hours</a>” function, which moved hours from one pay period to a future period. We were at a loss to think of any legitimate use for this function and surmise that it is used to avoid overtime.</p>
<p>Our study looked only at the software features available on the market – we did not study how frequently the features were used for unlawful purposes. However, even if misuse of the software is extremely rare, it could add up to a lot of wage theft in the aggregate. </p>
<p>Have your hours ever been modified in this way? You may not know. Many of the software programs were generally not set up to notify employees when supervisors make changes to their timecards.</p>
<h2>Employees should know what happens to their hours</h2>
<p>The status quo – in which software is used to alter employee hours in numerous ways without their knowledge – hurts everyone. Employees lose out on earned wages. Employers may benefit in the short term but they also risk big wage and hour lawsuits when small problems aren’t detected early. </p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/152180/original/image-20170109-32456-7ub8ly.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/152180/original/image-20170109-32456-7ub8ly.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/152180/original/image-20170109-32456-7ub8ly.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=233&fit=crop&dpr=1 600w, https://images.theconversation.com/files/152180/original/image-20170109-32456-7ub8ly.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=233&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/152180/original/image-20170109-32456-7ub8ly.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=233&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/152180/original/image-20170109-32456-7ub8ly.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=293&fit=crop&dpr=1 754w, https://images.theconversation.com/files/152180/original/image-20170109-32456-7ub8ly.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=293&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/152180/original/image-20170109-32456-7ub8ly.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=293&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Some software programs are more transparent than others (or can be customized to be more transparent). This graphic illustrates a program that allows managers to ‘accept’ or ‘reject’ an employee’s time, but editing can be done only by the employee.</span>
<span class="attribution"><span class="source">Screenshot from BigTime website video</span></span>
</figcaption>
</figure>
<p>It need not be this way. A <a href="https://www.youtube.com/watch?v=I4kr3bUNTuc">few</a> <a href="https://www.bigtime.net/dcaa-timesheet-review-and-approval/">of the programs</a> we reviewed were structured to involve employees in any managerial edits to their timecards. Other software programs offered <a href="https://www.kronos.com/resources/attestation-tool-kit">“add-on”</a> <a href="https://www.bigtime.net/pricing/">features</a> providing meaningful notification to employees, but these features are <a href="https://velocitycloud.com/resources/blog/the-little-known-kronos-toolkit-you-should-be-using">apparently rarely purchased</a> by employers. </p>
<p>More transparent software would satisfy the employer’s interests in efficiency while also allowing supervisors and employees to hold each other accountable for the integrity of the time records. Record-keeping rules should also be updated to reflect current realities. Employers with transparent systems should be rewarded, while bad actors punished.</p>
<p>Ultimately, employees should demand, and employers should select better software. Software makers will respond.</p><img src="https://counter.theconversation.com/content/70981/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elizabeth C. Tippett does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>If you think the hours you work are all converted directly into dollars, think again. There are a lot of ways employers can manipulate your time – some of which are legal, others highly questionable.Elizabeth C. Tippett, Associate Professor, School of Law, University of OregonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/709882017-01-09T15:23:16Z2017-01-09T15:23:16ZTen years on, the iPhone has taken us back as many steps as it has taken us forward<figure><img src="https://images.theconversation.com/files/152092/original/image-20170109-23468-92bb4f.jpg?ixlib=rb-1.1.0&rect=0%2C185%2C1936%2C1110&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A reinvention, yes. But has it taken us in the right direction?</span> <span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:Steve_Jobs_presents_iPhone.jpg">Blake Patterson</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>The <a href="http://news.bbc.co.uk/1/hi/technology/6246063.stm">10th anniversary of the Apple iPhone</a> reminds us that while it was not the <a href="http://pocketnow.com/2014/07/28/the-evolution-of-the-smartphone">first smartphone</a>, it was the first to achieve mass-market appeal. Since then the iPhone has defined the approach that other smartphone manufacturers have taken. </p>
<p>Smartphones have transformed our lives, essentially giving us an internet-connected computer in our pocket. But while we’re distracted by <a href="https://theconversation.com/mps-could-do-a-lot-worse-than-play-candy-crush-in-meetings-35290">Candy Crush</a> or <a href="https://theconversation.com/why-niantic-didnt-need-marketing-to-make-pokemon-go-viral-63159">Pokemon Go</a>, we are losing freedoms. We are losing control of our own devices, and losing access to the information they contain – in the very same devices that are increasingly important in our life.</p>
<p>To see how far we’ve come, consider that personal desktop computers only became widespread with the <a href="https://www-03.ibm.com/ibm/history/exhibits/pc25/pc25_birth.html">IBM PC</a>. By designing the PC with an open architecture, an enormous industry of PC-compatible products from other manufacturers sprang up. It’s the same today: when you purchase a computer, you’ll have (if you wish) the ability and the right to add or remove, swap or upgrade any element of the system hardware, install or remove any software you wish, including the operating system, and access to any information stored on it.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/vN4U5FqrOdQ?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>However, today the smartphone or tablet have in many cases effectively replaced the desktop or laptop computer. In parts of the developing world, smartphones are the <a href="https://www.theguardian.com/world/2016/aug/08/africa-calling-mobile-phone-broadband-revolution-transform-democracies">first experience many have of computing and internet access</a>. The fact that they are small and portable and work wirelessly means they are put to many other uses, such as receiving guidance from navigation systems, listening to music while exercising, or playing games in waiting rooms.</p>
<p>Yet doing something that’s very simple on a computer – such as listing your files – is impossible on an iPhone. iPhone users can change their background image, their ring-tone, the time of their alarm. But the iPhone guards what files it contains jealously. Your phone that is carried everywhere with you, which knows your precise location, which records the websites you visit – has all of its files completely inaccessible to you. If you care about privacy this should sound disturbing.</p>
<p>We have always had the right to govern our own computers, to do with them as we wished. But the smartphones and tablets we’re buying today come without administrator rights: we are merely users in the hands of the big tech companies, and these firms effectively rule the machines we live with.</p>
<h2>Information and freedom</h2>
<p>Of course, the iPhone does allow access to some information, such as photos, emails or documents. But it is often difficult to get that data off the phone. The way the iPhone communicates with your computer is a closed, proprietary protocol, and Apple changes this protocol each time it updates the phone. So if you use neither Microsoft Windows or Apple Mac computers you will have a hard time even to get your own photos out of your own phone.</p>
<p>Apple also restricts what information can be stored on the device. For example, iPhone users are obliged to transfer any music files on the phone through Apple iTunes software. If you cannot or do not wish to run iTunes – no music for you. Additionally, iTunes will automatically delete all the music tracks on your phone if you try to <a href="https://support.apple.com/en-gb/HT201253">transfer files from more than one computer</a>, due to digital rights management software that assumes that access from more than one computer means that the file has been shared illegally. It’s a bit like buying spectacles that control the conditions under which you’re allowed to read books. Or a backpack that will destroy all its contents if you attempt to carry items bought from different stores.</p>
<p>The same issue also affects which applications can be installed. If you learn how write code, you can develop your own applications to solve your own unique problems. But the iPhone doesn’t allow you to run those programs: only software authorised by Apple and distributed via the Apple Store is permitted.</p>
<h2>Open alternatives</h2>
<p>Why so tightly control what we can do with our devices? Some may argue that these restrictions are necessary in favour of security. If we look again at computers, however, we find that Linux, an open source non-commercial operating system, is also the <a href="http://www.zdnet.com/article/uks-security-branch-says-ubuntu-most-secure-end-user-os/">most secure</a>. It’s true that the Android mobile phone operating system, which is more open, is not as secure as the iOS operating system that runs Apple’s iPhone. But it shows that it is possible to have a system that is both secure and open.</p>
<p>In fact, <a href="http://www.puredarwin.org/">iOS is built around several open source software projects</a> – those whose internal workings are open to anyone to view or modify, for free. But while elements of iOS are open source, they are used as part of a tightly closed system. Android, an open source mobile phone operating system originally created by Google, is the chief alternative to the iPhone. But Android phones too have many closed source components, and Google is constantly <a href="http://arstechnica.com/gadgets/2013/10/googles-iron-grip-on-android-controlling-open-source-by-any-means-necessary/">replacing open components with closed source ones</a>.</p>
<p>Another alternative comes in the form of <a href="http://www.omgubuntu.co.uk/2016/09/ubuntu-phone-ota-13-new-features">Ubuntu Touch</a>, a recent version of the popular <a href="https://www.ubuntu.com/">Ubuntu Linux</a> for phones and tablets, although it is not yet widely used. The fact remains that ten years on, the mobile revolution kicked-off by the iPhone has taken us several steps forward and several steps back; leaving us uncertain of whether some day we will actually fully own our devices.</p><img src="https://counter.theconversation.com/content/70988/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>This article was written based on discussions with Rafael Sahb, manager of the web for development team at the Council on Health Research for Development, an NGO which develops online platforms for health research in Africa and the developing world.</span></em></p>The iPhone mobile revolution put powerful computers in our pockets, but took away our rights to control them. Is that worth celebrating?Leandro Soriano Marcolino, Lecturer in Data Engineering, Lancaster UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/631782016-08-18T02:54:21Z2016-08-18T02:54:21ZHow companies learn what children secretly want<figure><img src="https://images.theconversation.com/files/134501/original/image-20160817-3578-n5lxb2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Companies use children's data to sell them junk food and other products.</span> <span class="attribution"><a class="source" href="http://www.shutterstock.com/pic-367390880/stock-photo-chocolate-chip-cookies-in-the-hands-of-a-child.html?src=lJAx4QMYQvOUq8qoi2GsyQ-1-73">Cookie image via www.shutterstock.com</a></span></figcaption></figure><p>If you have children, you are likely to worry about their safety – you show them safe places in your neighborhood and you teach them to watch out for lurking dangers. </p>
<p>But you may not be aware of some online dangers to which they are exposed through their schools. </p>
<p>There is a good chance that people and organizations you don’t know are collecting information about them while they are doing their schoolwork. And they may be using this information for purposes that <a href="https://www.academia.edu/24593242/Corporate_Schooling_Meets_Corporate_Media_Standards_Testing_and_Technophilia">you know nothing about</a>.</p>
<p>In the U.S. and around the world, <a href="https://www.youtube.com/watch?v=Lr7Z7ysDluQ">millions of digital data points are collected</a> daily from children by private companies that provide educational technologies to teachers and schools. Once data are collected, there is little in law or policy that prevents companies from <a href="https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade">using the information</a> for almost any purpose they wish. </p>
<p><a href="https://rowman.com/ISBN/9781475813616/Sold-Out-How-Marketing-in-School-Threatens-Childrens-Well-Being-and-Undermines-their-Education">Our research</a> explores how corporate entities use their involvement with schools to gather and use data about students. We find that often these companies use the data they collect to market products, such as junk food, to children.</p>
<h2>Here’s how student data are being collected</h2>
<p>Almost all U.S. middle and high school <a href="https://thejournal.com/articles/2014/04/08/a-third-of-secondary-students-use-school-issued-mobile-devices.aspx">students use mobile devices</a>. A third of such devices are issued by their schools. Even when using <a href="http://www.edweek.org/ew/articles/2015/06/11/districts-turn-byod-disorder-to-their-advantage.html">their own devices</a> for their schoolwork, students are being encouraged to use <a href="https://boostelearning.com/blog/google-apps-for-education-anticipated-to-reach-110-million-users-by-2020/">applications and software</a>, such as those with which they can create multimedia <a href="https://www.glogster.com/#love">presentations</a>, do <a href="https://compasslearning.com/goquest/">research</a>, learn to <a href="https://www.nitrotype.com/">type</a> or <a href="https://www.schoology.com/">communicate</a> with each other and with their teachers. </p>
<p>When children work on their assignments, unknown to them, the software and sites they use are busy collecting data. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/134503/original/image-20160817-3602-1a7pzmc.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/134503/original/image-20160817-3602-1a7pzmc.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/134503/original/image-20160817-3602-1a7pzmc.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/134503/original/image-20160817-3602-1a7pzmc.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/134503/original/image-20160817-3602-1a7pzmc.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/134503/original/image-20160817-3602-1a7pzmc.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/134503/original/image-20160817-3602-1a7pzmc.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Ads target children as they do their homework.</span>
<span class="attribution"><a class="source" href="http://www.shutterstock.com/pic-15854176/stock-photo-young-girl-with-laptop-doing-homework-in-dining-room.html?src=ktP0S4PfpU2i58Nw8GOZlQ-1-7">Girl image via www.shutterstock.com</a></span>
</figcaption>
</figure>
<p>For example, <a href="https://www.knewton.com/resources/press/67525/">“Adaptive learning”</a> technologies record students’ keystrokes, answers and response times. On-line <a href="https://www.youtube.com/watch?v=2OZyzYUog8w">surveys</a> collect information about students’ personalities. <a href="https://www.remind.com/">Communication</a> software stores the communications between students, parents and teachers; and <a href="https://www.glogster.com/#love">presentation</a> software stores students’ work and their communications about it. </p>
<p>In addition, teachers and schools may direct children to work on branded apps or <a href="http://www.studystack.com/Privacy">websites</a> that may collect, or allow <a href="http://adage.com/article/digital/google-dominates-ad-tech/244824/">third parties</a> to collect, IP addresses and other information from students. This could include the ads children click on, what they download, what games they play, and so on.</p>
<h2>How student data are used</h2>
<p>When “screen time” is <a href="https://www.eff.org/studentprivacy-casestudy">required for school</a>, parents cannot limit or control it. Companies use this time to find out more about children’s preferences, so they they can target children <a href="http://adage.com/article/catapult/path-changing-complex-journey-conversion/304598/">with advertising</a> and other content with a personalized appeal. </p>
<p>Children might see ads while they are working in educational apps. In other cases, <a href="https://www.eff.org/deeplinks/2015/12/googles-student-tracking-isnt-limited-chrome-sync?from=student-privacy">data might be collected</a> while students complete their assignments. Information might also be stored and used to better target them later.</p>
<p>For instance, a <a href="http://www.studystack.com/Privacy">website</a> might allow a third party to collect information, including the type of browser used, the time and date, and the subject of advertisements clicked or scrolled over by a child. The third party could then use that information to target the child with advertisements later.</p>
<p>We have <a href="http://nepc.colorado.edu/publication/schoolhouse-commercialism-2015">found</a> that companies use the data to serve ads (for food, clothing, games, etc.) to the children via their computers. This repeated, personalized advertising is <a href="https://www.democraticmedia.org/article/how-youtube-big-data-and-big-brands-mean-trouble-kids-and-parents">designed</a> specifically to manipulate children to want and buy more things.</p>
<p>Indeed, over time this kind of advertising can threaten children’s <a href="http://nepc.colorado.edu/publication/schoolhouse-commercialism-2012">physical</a> and <a href="http://nepc.colorado.edu/publication/Schoolhouse-commercialism-2010">psychological</a> well-being. </p>
<h2>Consequences of targeted advertising</h2>
<p><a href="http://nepc.colorado.edu/publication/national-survey-types-and-extent-marketing-foods-minimal-nutritional-value-schools">Food</a> is the most heavily advertised class of products to children. The heavy digital promotion of “junk” food is associated with negative health outcomes such as <a href="http://www.cdc.gov/healthyschools/obesity/facts.htm">obesity</a>, <a href="http://www.thelancet.com/pdfs/journals/lancet/PIIS0140-6736(07)60958-1.pdf">heart disease and diabetes</a>. </p>
<p>Additionally, advertising, regardless of the particular product it may sell, also “sells” to children the idea that products can make them happy. </p>
<p>Research shows that <a href="https://www.scribd.com/book/235411618/Born-to-Buy-The-Commercialized-Child-and-the-New-Consumer-Cult">children</a> who buy into this materialist worldview are more likely to suffer from anxiety, depression and other psychological distress.</p>
<p><a href="https://books.google.com/books/about/The_High_Price_of_Materialism.html?id=2ekg225NTSwC">Teenagers</a> who adopt this worldview are more likely to smoke, drink and skip school. One set of <a href="http://www.tandfonline.com/doi/abs/10.1080/10478400701389045">studies</a> showed that advertising makes children feel far from their ideals for themselves in terms of how good a life they lead and what their bodies look like. </p>
<p>The insecurity and dissatisfaction may lead to negative behaviors such as <a href="http://sro.sussex.ac.uk/13276/">compulsive buying</a> and <a href="http://onlinelibrary.wiley.com/doi/10.1111/sjop.12101/abstract">disordered eating</a>. </p>
<h2>Aren’t there laws to protect children’s privacy?</h2>
<p>Many <a href="http://dataqualitycampaign.org/wp-content/uploads/2016/03/DQC-Student-Data-Laws-2015-Sept23.pdf">bills bearing on student privacy</a> have been introduced in the past several years in <a href="http://www.nasbe.org/wp-content/uploads/2015-Federal-Education-Data-Privacy-Bills-Comparison-2015.07.22-Public.pdf">Congress</a> and <a href="http://www.nasbe.org/wp-content/uploads/Vance_2016-State-Final.pdf">state legislatures</a>. Several of them have been enacted into <a href="http://www.nasbe.org/wp-content/uploads/Vance_2016-State-Final.pdf">laws</a>. </p>
<p>Additionally, nearly 300 software companies signed a self-regulatory <a href="https://fpf.org/2014/10/07/k-12-student-privacy-pledge-announced/">Student Privacy Pledge</a> to safeguard student privacy regarding the collection, maintenance and use of student personal information.</p>
<p>However, they <a href="http://www.politico.com/story/2015/03/privacy-bill-wouldnt-stop-data-mining-of-kids-116299">aren’t sufficient</a>. And here’s why:</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/134504/original/image-20160817-3602-5zi0zr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/134504/original/image-20160817-3602-5zi0zr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/134504/original/image-20160817-3602-5zi0zr.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/134504/original/image-20160817-3602-5zi0zr.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/134504/original/image-20160817-3602-5zi0zr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/134504/original/image-20160817-3602-5zi0zr.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/134504/original/image-20160817-3602-5zi0zr.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Student privacy laws are not adequate.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/mimiw/1878700854/in/photolist-3S1Qj3-b8pivH-drsB7q-drsCcj-43YUBS-43UPNB-drsBxq-bx1jyp-bxpEou-9wp4KP-9jxJ6-dpT5sR-dn7w9M-5uGeWu-fryyBY-cSMfs1-b86bEk-cSMaNU-4zocnd-dJepGk-cz2KeE-dFxHmE-cSM96h-8wcRf8-6D47K-5TMsxx-2iV4D-8PCwt2-fvT5PN-bTkms-761HEK-5R4tTJ-4nWCrn-6N9kQU-dzbjuX-aYLK5P-cXg9D3-9pSwyB-eXBR7x-7agqDg-7yw12s-4Xtgen-7beJ1K-8dfWHj-dm3RNm-aYLK6D-7yw1sh-7yw1F3-cEJgcq-7yscJR">Mary Woodard</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span>
</figcaption>
</figure>
<p>First of all, most laws, including the <a href="https://studentprivacypledge.org/">Student Privacy Pledge</a>, focus on <a href="http://www.gsa.gov/portal/content/104256">Personally Identifiable Information</a> (PII). PII includes information that can be used to determine a person’s identity, such as that person’s name, social security number or biometric information. </p>
<p>Companies can address privacy concerns by making digital data <a href="http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/">anonymous</a> (i.e., not including PII in the data that are collected, stored or shared). However, data can easily be <a href="https://www.cs.utexas.edu/%7Eshmat/shmat_oak08netflix.pdf">“de-anonymized.”</a> And, children don’t need to be <a href="http://adage.com/article/ken-wheaton/data-anonymized-find/297713/">identified with PII</a> in order for their online behavior to be tracked. </p>
<p>Second, <a href="https://www.govtrack.us/congress/bills/114/s1788/text">bills designed to protect student privacy</a> sometimes expressly <a href="http://www.njleg.state.nj.us/2016/Bills/A1500/1272_I1.HTM">preserve</a> the ability of an operator to use student information for adaptive or personalized learning purposes. In order to personalize the assignments that a program gives a student, it must by necessity track that student’s behavior. </p>
<p>This weakens the privacy protections the bills otherwise offer. Although it protects companies that collect data for adaptive learning purposes only, it also provides a loophole that enables data collection. </p>
<p>Finally, the <a href="https://studentprivacypledge.org/">Student Privacy Pledge</a> has <a href="http://nepc.colorado.edu/publication/schoolhouse-commercialism-2015">no real enforcement mechanism</a>. As it is a voluntary pledge, many companies may scrupulously abide by the promises in the pledge, but many <a href="https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade">others may not</a>. </p>
<h2>What to do?</h2>
<p>While education technologies show promise in some areas, they also hold the <a href="https://www.edsurge.com/news/2016-03-16-the-overselling-of-education-technology">potential to harm students profoundly</a> if they are not properly understood, thoughtfully managed and carefully controlled. </p>
<p>Parents, teachers and administrators, who serve as the closest protectors of children’s privacy at their schools, and legislators responsible for enacting relevant policy, need to recognize the threats of such data tracking. </p>
<p>The first step toward protecting children is to know that that such targeted marketing is going on while children do their schoolwork. And that it is powerful.</p><img src="https://counter.theconversation.com/content/63178/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span> I have received funding to support my commercialism in schools research from Consumer's Union and from the Robert Wood Johnson Foundation.</span></em></p><p class="fine-print"><em><span>Faith Boninger does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>When children work on their school assignments, unknown to them, the software they use is busy collecting data. These data are then used for individualized marketing of junk foods and other products.Faith Boninger, Research Associate in Education Policy, University of Colorado BoulderAlex Molnar, Research Professor, University of Colorado BoulderLicensed as Creative Commons – attribution, no derivatives.