Product Idea: Privacy First in (Food) Delivery

Problem: 

How many times you received a food delivery and you see on the tax receipt written your name, address, and phone number?

How many packages did you get from a courier with the same data written with giant letters?

Data that could identify you is private, and we must protect it. At the same time, your delivery partner needs those details so they can fulfill your order. Are we in a Cacth 22 type of situation here? Not at all! 

Let’s see the flow of data in this complicated situation:

  1. You order food via your favorite app, and you give your name, address, and phone to them.
  2. They are just an aggregator, so they forward your details to the actual place to prepare the food.
  3. The restaurant uses a courier company (or a shared delivery engine) to deliver the order to you, and of course, they will share your details with them.

You can see your data flowing from system to system without your control or awareness. If you put it on top of that, they print out the tax receipt and hand it over to a 3rd party without your consent, and you could imagine all possible threats. 

You don’t have the visibility of who is doing what with your protected personal data. Any party of this chain believes that they need your details stored and printed out to “help you” get your food or item. And you even pay them to abuse you. Too harsh? Nope.

What is the solution, then?

Let me get this right. We all need service like that – where you can order stuff and get it at home. The goal here is – can we get a service that 1) believes your data is precious and it will use it only when needed; 2) with your permission, and 3) without storing it?

Imagine a situation like that..

The courier needs to deliver you some food. Before she is leaving the station, she would need to know where to go. Remember – they don’t have your data. Then she opens up an application and initiates a request to you to share the details. 

Privacy Application - Request

Then while sitting on the couch, receive an alert for the request.

Privacy Application - Responce

The courier is requesting the first name and the last name. You think they don’t need them for your food delivery. They could need your address and maybe your phone. So you select what you want to share and send it to them by selecting data from your data wallet, where you keep your details secured and encrypted.

Then the courier receives that, and the data will be available only until they deliver the food to you and then will expire and not be visible or stored anywhere. 

Data Wallet?

Here, the concept is that you, as a human you own your data. You keep them safe with you as you have your physical wallet. When someone needs a bit of information, you decide what to send and how long they can have it.

* In the text “Data Wallet” is a concept, not a name of an already existing product.

Privacy First

As I said before in this tiny article – the data we share with random parties must be protected. The best way to do that is to have the control at your disposal and not count on 3rd parties to do that for you. Most vendors are using the data you shared with them for the means you never agreed to. So why don’t we take the control back if the technology supports that?

Food for thought

  • If you recycle, how many times did you make your data unreadable before throwing the envelope in the bin?
  • If you look at the paper recycling bin that sits in front of your building, how many names, phones, and addresses you think you will find?

Privacy header image by Nick Youngson. Published under CC BY-SA 3.0

What would you do if you had magic (agile) wand?

I am almost at the end of my journey towards the ICP-ACC learning path. To decode that – I am learning and acquiring new skills to become a better coach. My goal now is not to brag but to share a great thing I learned.

One of the stages of a coaching session is “Exploring.” As the title says, the goal is to help your coachee explore the problem area and get to the “aha” moment. 

To do that, I guide them with a series of questions using the knowledge from the previous steps. I found one of those questions very powerful. 

What would you do if you had a magic wand?

At first, I thought this was a stupid question and refused to ask it during my coaching exercise. Magic wand, right? Who am I? Gandalf?

Then I pushed myself to ask the question, and I was surprised by the result.

I asked the coachee why it happened like that. When he was in the middle of the problem root cause discovery, he realized he had some constraints set.

By asking this question, the coachee was encouraged to think wild, to forget about those constraints for a while. He was able to describe his ideal situation and path forward. He realized that those constraints are artificial, and he can ignore them. 

So what?

We often set limitations like that for ourselves, and most of the time, they are why we don’t take the step that could make us more successful. So, what would you do if you had a magic wand?

Steganography API at your service.

Steganography is the art and science of embedding secret messages in a cover message so that no one, apart from the sender and intended recipient, suspects the existence of the message. 

The most common example is to hide a message in an image file without compromising how the image looks. The majority of the people are using the photos to share a fantastic moment or two and don’t know that they can contain a secret message.

What could be the use-case?

Someone can hack your phone and embed your text messages in the pictures you take and share in, say, Instagram. 

A not so happy employee can post a picture on your blog with a secret message embedded in it to share some trade secrets with your competitors. 

Another person can embed an exploit in a PNG ads image; JavaScript code would parse the PNG image, extract the malicious code, and redirect the user to the exploit kit landing page.

Steganography also is a well know method for exchanging information between spies. 

Even if it sounds like science fiction, this is a very viable threat against your systems and you.

Steganography Protector API

I have created a small API (as a Proof of concept) that could discover a secret message hidden in any image file.  

The end-point is here:

https://sapigate.herokuapp.com/steg

It accepts POST requests only. 

The input should be JSON encoded, and it should consist of a binary stream of your image.

Here is a Python example.

import requests
url = 'https://sapigate.herokuapp.com/steg' 
my_img = {'image': open('secret.png', 'rb')}
r = requests.post(url, files=my_img) 
print(r.json())  

The result of the command can be:

{'message': 'Secret Message', 'status': 'sucess'}

I am planning to extend the API by adding more use-cases and documentation, but if you are free to start using it right away.

If you have any questions about it or it seems down, contact me via Twitter – @bogomep

A practical use

You could read all of your images from your blog and via the API to check whether they contain a secret message or not or to check for hidden traces of your last Instagram image.

If you are looking for a picture with a secret message inside – why don’t you test this one: