Tag Archives: privacy

The ubiquity of Facebook

Ove the last few years, I’ve dabbled in Facebook, but frankly never really wanted to share all the trivia of my life with others, and nor did I want to know the trivia of other peoples’ lives.  Periodically, Facebook seemed to make changes to the privacy settings of the system, and therefore my account, and I have been getting increasingly annoyed at having to delve into what’s frankly quite an arcane settings system to rectify the situation.

So after news reports of what seemed to me to be a rather intrusive set of changes to the way Facebook streams trivia and tittle-tattle between users, I decided to suspend my Facebook account.  In part this decision stemmed from the stories about Facebook’s cookies tracking users’ web activity in a way that was rather difficult to close down.  I chose to suspend rather than delete my account because I thought that perhaps I would want to return to the fold, and read updates on peoples’ lives, their travails, and above all their bonkers Facebook games.  Well, perhaps not the latter.

It’s been over a month now, and I’ve not missed Facebook at all.  But.  I notice that some web companies such as Spotify now require a Facebook account to register.  This is no big deal to me, my music listening habits aren’t really going to benefit from Spotify membership – while I think I’ve increasingly embraced the digital music era, the way I think of and listen to my music collection is somewhat rooted in a vinyl LP mindset.

However, during my daily perambulations round the internet I follow a good many links, many of these to news sites where the comments are often of interest.  In general, I tend not to leave comments of my own (unless it’s a subject I’m particularly interested in), but I often like to see what the regular readers of the site have to say.  Some sites I’ve visited recently have required readers to have a Facebook login – not only to post comments, but in some cases to read comments.

This is a little sad, I think.  It’s assuming all internet users are going to buy into the loss of privacy that the Facebook mindset leads to.

(The links to Facebook on this site currently point to a page saying “This content is currently unavailable” – if and when I finally knock my Facebook account on the head, those links will go).

Hacked Off

The escalating row over the News of the World phone hacking brings further revelations overnight (News of the World hacking row escalates).  Hopefully, News International’s attempt to deflect all responsibility from Rebekah brooks to Andy Coulson will fail, and blame will fall appropriately.

The breathtaking extent of the scandal is rather worrying: why did Surrey Police take no action over the Dowler family phone hacks?  Why did the Metropolitan Police appear to do their best efforts to sweep this whole sick story under the carpet at a time when it appeared to involve only ‘Celebs’?

A campaign for a public inquiry will be launched today – Hacked Off.  There’s a petition calling for a public inquiry.

Will this scandal prevent the UK Government from approving the takeover of BSkyB by the Murdoch empire, further extending the ownership of UK media?

TalkTalk to continue invasion of customers' privacy

The BBC reports that the UK ISP TalkTalk (also known as StalkStalk) is pressing on with its intrusive malware scanning system (Talk Talk to introduce controversial virus alert system).  However a better analysis can be read over at NoDPI (Update: StalkStalk, Time to Switch ISP).

Essentially TalkTalk will visit every website visited by every TalkTalk customer, and investigate it for malware.  Essentially this is an exercise in recording customers’ web activity, in many cases recording URLs containing personal information.  TalkTalk customers cannot opt-out of the URL stalking.  As NoDPI put it:

Yesterday, TalkTalk announced the forthcoming relaunch of their ‘anti-malware’ service. The same system was covertly tested on TalkTalk subscribers in June/July.

[…]

Every URL that you visit will be captured, and used to classify the web site that you visit. The technology is supplied by Chinese company Huawei, who are commercial partners with notorious spyware company Phorm, who in turn use technology supplied by malware hackers OCS Lab in Moscow.

TalkTalk customers are advised to read the NoDPI article and judge whether their privacy would be best served by leaving for a new ISP. Personally I left BT over their dalliance with the dreadful Phorm.

See also

Government U-turn over data tracking

It would seem as though the UK government has quietly performed an about turn and revived the Intercept Modernisation Plan (‘Surveillance state’ fear as government revives tracking plan | UK news | The Guardian).  As The Guardian reports:

A £2bn plan to allow the police and security services to track the email, text, internet and mobile phone details of everyone in Britain is to be revived, the Home Office has confirmed.

The coalition agreement promised to scrap the “surveillance state” plan by pledging to “end the storage of internet and email records without good reason”. Both Conservatives and Liberal Democrats voiced criticism in opposition.

But the project, known as the interception modernisation programme, has been quietly revived – a decision buried in the back pages of the strategic defence and security review published this week. Senior Home Office officials have confirmed that legislation is being prepared.

You might have thought that in the current climate of swingeing cuts in public expenditure this might have remained axed.  But no, it’s back.

The plan doesn’t yet include retention of the content of messages (but as ever, beware of ‘function creep’).

TalkTalk = StalkStalk

The UK ISP TalkTalk was recently spotted shadowing its customers’ tracks around the internet. The excellent NoDPI.org has a comprehensive summary of why this is illegal (TalkTalk becomes StalkStalk).  Interestingly the man in charge, despite claiming to have deleted all emails from one protester has had his legal crew write an apparently evasive letter.

As with the BT-Phorm debacle, it’s going to be interesting to watch this unfold…buy I can’t see the UK regulatory bodies acting with any great rapidity if prior experience is anything to go by,

TalkTalk stalks clients' movements through the web

A story that surfaced in TalkTalk forums a while back, and more recently in the Phoenix Broadband Advisory Community and the No DPI forums has now come to the attention of The Register (TalkTalk turns StalkStalk to build malware blocker).  This one’s interesting – under the guise of harvesting URLs for future malware protection TalkTalk have been following their clients around the web.  El Reg:

It’s less TalkTalk, more StalkStalk: the UK’s second largest ISP has quietly begun following its customers around the web and scanning what they look at for a new anti-malware system it is developing.

Without telling customers, the firm has switched on the compulsory first part of the system, which is harvesting lists of the URLs every one of them visits. It often then follows them to the sites to scan for threats.

[…]

The new system is provided by Chinese vendor Huawei, and customers can’t opt out of the data collection exercise. As they browse the web, URLs are recorded and checked against a blacklist of sites known to carry malware. They are also compared to a whitelist of sites that have been scanned for threats and approved in the last 24 hours.

If a URL appears on neither list, Huawei servers follow the user to the page and scan the code. According to measurements by webmasters, the TalkTalk stalker servers show up between about 30 seconds and two minutes after TalkTalk subscribers.

Isn’t this clear copyright violation?  On guy in the PABC forums has requested the TalkTalk cease visiting his sites: they have refused to stop doing this, claiming they “reserve our rights to check your site for the protection of our users”.

It would seem that the URL harvesting takes quite a bit of information along with it.  TalkTalk claim that their crawler obeys robots.txt instructions, but from the evidence provided in the PBAC forums this isn’t actually true.  It would also seem that the process interferes with gamers’ online activities and prevents computers from being able to access the iTunes store (see for example this thread).

Phorm issues shares to raise cash

The much-disliked company Phorm, who develop probably illegal systems for probing web traffic using deep packet inspection with a view to selling on internet users’ browsing habits, have been hitting rocky times lately.  With no commercial partners currently working with them in the UK, Phorm have moved further afield and explored markets in Braxil and South Korea.  In both locations, their plans appear to have hit the buffers (according to postings at the No DPI forums).  Faced with a bit of a crisis, they appear to be trying to raise a spot of cash, accroding to The Register (Phorm issues shares to raise cash • The Register).

What’s interesting there is the named markets currently being explored are Brazil and China.  Now there’s a market the might succeed.  In the meantime, I wonder who would buy the projected shares in light of the woes that Phorm have been suffering of late?

Two views on the NHS Summary Care Record

Having opted out from having my medical records exposed to an astounding number of people via the NHS Summary Care Record (SCR) scheme, I’m always interested in seeing opinions on the SCR. There are a couple of open access opinion piece articles in the British Medical Journal. In the first, Mark Walport (Director of the Wellcome Trust) offers the view that the SCR will do more good than harm (Do summary care records have the potential to do more harm than good? No — Walport).  Walport takes the view that the SCR represents an excellent opportunity to benefit medical research – I have to confess that the usage of the SCR as a research tool had escaped me, and it occurs to me that this isn’t one of the original functions intended for it.  I’d also worry that this would represent a further extension of the already large group of people with access rights to the data.  As Walport says:

The primary purpose of electronic patient records is to improve patient care. As a patient I expect the following: that my records will be accurate and that I can work with my carers to improve their accuracy; that they will be treated confidentially; that they will be shared between the members of the healthcare team that collectively look after me in primary care and in hospital; and that they will provide a basis for accountability for the quality of my health care. In addition I would hope that my records could be linked to “expert systems” that would minimise the chance of treatment errors and maximise the chance of my being prescribed the best treatment.

Of course the expected benefits depend on quality data being entered in the system, and this is one issue that’s been highlighted as a potential problem (though it’s been noted that GPs and other medical practitioners make informed judgement on the information held).  As an aside, how accessible will these data be to a practitioner attending to someone who’s unconscious on the roadside?  How quickly can unambiguous identification be made?

In a counter opinion, Ross Anderson (Professor of Security Engineering, Cambridge University) takes an opposing view (Do summary care records have the potential to do more harm than good? Yes — Anderson), principally taking into account the security of the data, the potential for misuse, and indeed the illegality of the means of enrolling patients into the scheme.  As one might expect, Anderson approaches the issue from a very different perspective than Walport – that of data integrity and security.  Anderson points out:

The showstopper though is privacy. In 2008, the European Court of Human Rights decided the case I v Finland. Ms “I” was a nurse in Helsinki, and HIV positive; the systems at her hospital let her managers find out about her status, and they hounded her out of her job. The court awarded her compensation, finding that we have a right to restrict our personal health information to the clinicians involved directly in our care. Other staff must be unable to access records, not just “not allowed.” In 2009, colleagues and I wrote a report for the Joseph Rowntree Reform Trust, examining the impact of this and other cases on UK central government systems and concluded that the summary care record had serious legal problems. With the additional data being added, it is now clearly unlawful.

There is always a great worry about “function creep” in large-scale database systems – for example, it may well be that Walport’s view of the SCR as a research tool is an example – but the real issues for me are in data integrity and security.  Both relate to individual privacy, and the letter I received explaining I was in “by default”, and giving a very one-sided and over-optimistic opinion of the benefits of SCR raised my ire.  That, and the hoops one has to jump through to avoid being included.  Recall that once your data are in, they are there for good.

As I write this, Neil Bhatia (who maintains a website providing an opposing view of the SCR) has written a “rapid response” comment.