Memex 1.1

From BBC NEWS…

A computer containing a million bank customers’ personal data has reportedly been sold on an internet auction site.

The Daily Mail says an ex-worker for archiving firm Graphic Data sold it for £35 on eBay without removing sensitive information from the hard drive.

The Royal Bank of Scotland (RBS) and its subsidiary, Natwest, have confirmed their customers’ details were involved.

RBS said Graphic Data had told it the PC had apparently been “inappropriately sold on via a third party”.

It said historical information relating to credit card applications for their bank and others had been on the machine.

The information is said to include account details and in some cases customers’ signatures, mobile phone numbers and mothers’ maiden names.

It is thought the problem came to light when Andrew Chapman, an IT manager from Oxford, bought the computer, noticed and raised the alarm…

Might be worth considering this from Good Morning Silicon Valley.

If you’re looking to get outraged by a government’s intrusion into the electronic lives of its citizens, you don’t need to look all the way to China. The U.S. Department of Homeland Security recently revealed its current border policy on laptops, iPods and other gadgets carried into the country by returning travelers or foreign visitors, and it boils down to this: Without explanation, we can seize your laptop or any device capable of storing information (including cell phones, thumb drives, video tapes, and old-fashioned analog paper). We can keep it as long as we want. We can look through the contents, and we can share them with other agencies or private entities. And we can do all this whenever and to whomever we want — no reasonable cause needed, not even a vague suspicion of wrongdoing. And, of course, this is all OK because we are protecting our treasured American freedom.

Answer: probably yes. I’ve long suspected that anyway. Now comes this interesting report from an Austrian online news site…

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary’s press spokesman was brief, “Skype does not comment on media speculation. Skype has no further comment at this time.” There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees…

I use Skype quite a lot and find it very useful for family stuff etc. But I wouldn’t use it for anything that was commercially sensitive.

Skype would be able to charge quite a hefty fee to governments for this, er, feature.

Also, I wonder how this latest speculation squares with an earlier report that I logged claiming the German police were unable to crack Skype encryption. Perhaps the Germans weren’t willing to pay Skype the required fee for entry to the back door?

This morning’s Observer column — about Google Street View…

In a way the issue is not whether this Google innovation is permitted or not, but the general direction we’re headed and the role Google might play in our collective future. Last week I wrote about the legal ruling which compelled Google to hand over to Viacom its computer logs of every single viewing of a YouTube video, including those by UK residents. The privacy implications of that ruling have since been mitigated by agreement that the data can be ‘anonymised’ by Google before handover. But, again, the direction is towards a world in which everything we do is monitored and logged - mostly by one company.

Google’s mission, according to its corporate website, is ‘to organise the world’s information and make it universally accessible and useful’. What we perhaps haven’t fully realised is that these guys really mean it. Their ambition is at least as megalomaniacal as Bill Gates’s vision of a computer on every desk running Microsoft software. So it’s time we started thinking about what a world dominated by Google would be like. As it happens, some people have - and they’ve been publishing the results on YouTube. Have a look — and then pour yourself a stiff drink.

The Register is compiling a lovely mash-up involving plotting sightings of Google’s Streetcams on Google Maps.

Here’s an interesting development — a search engine that really takes privacy seriously.

The first European privacy seal was presented today to search engine ixquick.com by the European Data Protection Supervisor Peter Hustinx on the occasion of the 30th anniversary of data protection legislation in Schleswig-Holstein.

According to the citation:

Ixquick is a meta-search engine which forwards search requests of its users to several search engines, gathers and combines their results and presents the results to the requesting users. Privacy is ensured by using several data-minimization techniques: personal data like IP addresses are deleted within 48 hours, after which they are no longer needed to prevent possible abuse of the servers. The remaining (non-personal) data are deleted within 14 days. Ixquick serves as a proxy, i.e. IP addresses of users are not disclosed to other search engines.

Hmmm… Bet that won’t appeal to the British Home Office.

Thanks to Gerard for the link.

In his Manitoba lecture, Mike Wesch mentioned a survey which suggested that 88% of the material on YouTube was original, not the copyrighted stuff the mainstream media (and Viacom) obsesses about. Here’s a great example of creative use of the platform. It’s the second of a series of four short movies about the creepier implications of Google Street View.

Thanks to Tony Hirst for spotting it.

This morning’s Observer column

On 2 July, a US district judge, Louis L Stanton, lobbed a grenade into the cosy world of social networking, user-generated content and so-called ‘cloud’ computing. He ordered Google to turn over to Viacom all of its logs relating to viewing of YouTube video clips since the search engine giant acquired the video hosting site in November 2006.

That amounts to 12 terabytes (or more than 12 million megabytes) of data: each log entry records the user name and IP (machine) address of the user who viewed the video, plus a timestamp and a code identifying the clip. What the judgment means is that if you have watched a YouTube clip at any time since November 2006, a record of that will be passed to Viacom’s lawyers…

UPDATE: This from CNET:

Viacom wants to know which videos YouTube employees have watched and uploaded to the site, and Google is refusing to provide that information, CNET News has learned.

This dispute is the reason the two companies, and lawyers representing a group of other copyright holders suing Google, have failed to reach a final agreement on anonymizing personal information belonging to YouTube users, according to two sources close to the situation.

Well, well. According to this report, the Voice of Middle England isn’t too careful about keeping sensitive data secure.

Northcliffe Media, owner of the Daily Mail, is the latest company to lose a laptop load of sensitive staff information.

A laptop containing names, addresses, bank accounts and sort codes of Mail and General Trust staff has been stolen, it emerged last week. The company told staff that the laptop was password protected - and so, presumably, not encrypted.

The company confirmed to The Register that the theft had occurred and that staff had been informed. Police and the Information Commissioner were also informed.

According to the letter from Northcliffe Media sent to staff, and seen by the Reg, staff were advised to contact their bank to warn them of potential problems.

The letter, signed by group finance director M J Hindley, said:

The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen.

I can assure you that we take security of personal data very seriously and have, since this incident, which was inadvertently caused by a technical issue, already further strengthened procedures.

The company apologised for any inconvenience or annoyance caused by the theft.

I bet this won’t stop the Mail castigating the government for its casual attitude towards data security.

Rory Cellan-Jones has an uneasy feeling.

The YouTube case seems to show that, despite those promises, we have no real control over our data once it is lodged on a corporate server. Every detail of my viewing activities over the years - the times I’ve watched videos in the office, the clips of colleagues making idiots of themselves, the unauthorised clip of goals from a Premier League game - is contained in those YouTube logs.

All to be handed over to Viacom’s lawyers on a few “over-the-shelf four-terabyte hard drives”, according to the New York judge who made the ruling. I may protest that I am a British citizen and that the judge has no business giving some foreign company a window on my world. No use - my data is in California, and it belongs to Google, not me.

The other troubling aspect about this case was that it was only the blogs that seemed to understand the significance of the ruling when it emerged on Wednesday night. Much of the mainstream media ignored it at first, seeming to regard it as a victory for Google, because the judge said the search firm didn’t have to reveal its source code.

“I’ve never worried too much about the threat to my privacy”, Rory continues.

I’m relaxed about appearing on CCTV, happy enough for my data to be used for marketing purposes, as long as I’ve ticked a box, and have never really cared that Google knows about every search I’ve done for the last 18 months. But suddenly I’m feeling a little less confident. How about you?