30 March 2009

TidBITS goes Undercover

David Blatner has written an interesting article on theft-recovery for TidBITS. He has some nice things to say about Undercover:

Undercover in particular does some things I'd like to see incorporated into a future version of MacTrak, such as taking screen shots as the thief works and simulating a hardware failure to force the thief into bringing the machine in for repair

We could not agree more with David on Undercover's competitive edge.

However, I don't entirely agree with one of the author's points: he states that he does not 'like the idea of a third-party company being the mediator between me and the tracking data'. This is odd, as every theft-recovery solution out there, uses a client-server system. In that respect, data is always mediated and copied to some sort of server before the victim can view it. Even if the software sends the information 'directly' to your email account, that email has been 'mediated' by their servers.

However, more than three years of theft-recovery experience have learned us that having a mediator between the theft-data and the Mac's rightful owner is actually an advantage.

Indeed, some theft-recovery software lets you handle all the recovery work yourself. They simply dump the iSight pictures in your mailbox and that's it.
We don't: we have a fully staffed recovery center that handles hundreds of thefts each year. We have a rich in-house expertise on how to work with law enforcement in each country, including the US and Canada, Europe, Asia and Australia. As a result, we can handle recoveries more quickly and efficiently. We also assist the victim in extracting data from the screenshots he or she receives from the stolen Mac.

Having a mediator really pays off, and we consider that an important part of the service you pay for when purchasing Undercover. It's an asset, not a disadvantage.

That's not to say we handle everything behind the customer's back. Every single customer receives all the information we share with the police.

In addition, having us as a neutral mediator really encourages the police to work on the case and to take to court all the data we provide them with. This becomes much more difficult if the data is gathered by individuals, or shared on photo-sharing websites.


Nick said...

First, let me say that I find myself wishing my laptop would get stolen so that I could have the immense satisfaction of catching a thief using Undercover. The program and supporting services are very cool.

But I think there are some legitimate privacy concerns that need to be addressed, and I haven't seen a lot of evidence that Orbicule takes them seriously.

I can certainly see the advantages of your model in situations of theft. I don't think people are particularly worried about privacy when it comes to a thief's Yahoo screen name or iSight mug shot.

But what about other times? What prevents unscrupulous Orbicule employees from marking a user's laptop as stolen in the database, and screen grabbing, iSight shooting, etc.?

I'm not accusing you of mishandling your customers' data. But I'm curious about what systems you have in place to guard against the actions of rogue Orbicule employees. You're asking for a very high level of trust from your customers, and I haven't been able to find much info about safeguards.

For example, is there some failsafe notification system, that can't be bypassed, that sends a confirmation email somewhere when an device is marked as stolen?

Peter Schols said...
This comment has been removed by the author.
Peter Schols said...

Nick, I see your point.
However, when a new Mac is added to our list of stolen computers, our tracking system automatically sends an to the rightful owner of the Mac. There is no way a theft can be entered without alerting the owner.

In addition, if we'd decide to initiate stealth mode on your Mac, you would notice this too: Undercover would take an iSight picture every 6 minutes, resulting in the green iSight light turning on for a few seconds.

We really care about our customer's privacy and we strictly adhere to our own privacy policy that's available at: http://www.orbicule.com/privacy

I also like to point out that this is a valid concern with any other theft recovery solution too: even if the software simply mails the images to you or uploads them to a photo sharing website, it would be possible for company employees to view sent emails on the company's mail server, and to intercept the images.

Like I wrote in the original post: all theft recovery software currently available makes use of a 'mediator', a company server that is used to temporarily store the information. As long as information is stored on a company server, the information is still readable by company employees. Even if it's stored for a few seconds only, before being transmitted to the owner.