Memex 1.1

Interesting story

Twitter user Orli Yakuel, with 650 followers, had a nasty surprise this morning - her direct messages (private messages between two Twitter users) showed up in her normal Twitter stream (and were subsequently published to her FriendFeed account). Friends messaged her to tell her about the embarrassing issue.

In a subsequent update, the culprit was identified:

It looks like this is a problem caused by GroupTweet, a newish third party Twitter application that allows users to direct message a lot of people at once. Orli says that she tested the application earlier today, and a number of commenters are pointing out that it may be the problem. GroupTweet requires you to create a new Twitter account to use with the service, and tell it the credentials for the account. But if you accidentally enter your primary account credentials instead, it will expose your direct messages to the public. This is not a Twitter API issue as far as I can tell, it’s a problem with the fact that GroupTweet is confusing and if you make a mistake, your direct messages are made public. This is particularly an issue for non-native English users when using it. I could have very easily made this mistake when testing the application.

TechCrunch claims that the guy who wrote GroupTweet has disabled sign-ups for the time being, but I can find no mention of that on the site.

Interesting post by Landon Fuller.

Meraki provides free wireless access throughout San Francisco, using the network name “Free The Net”. Trying out their service at a coffee shop in my neighborhood, I discovered that Meraki has adopted a location-aware advertising driven model, and are now injecting ads into every page you visit using their network. (Screen shot).

I was surprised that Meraki is adding advertising to my web site (where’s my cut?), but that’s just the beginning. Meraki is sharing your location with every site you visit.

To display their advertising, Meraki adds a small piece of JavaScript to every page:

Included in that URL is your current estimated longitude and latitude. In my case, that’s the street just outside of Cafe Reverie, where I was taking lunch — a fairly accurate reading.

This is a new twist on the cross site scripting problem — because Meraki’s script is injected directly into the site that I’m visiting, a simple piece of javascript, added by the web page’s author, can fish out your current location.

Thanks to Michael for spotting it.

One of the things that astonished me in 1999 when I was campaigning against the Regulation of Investigatory Powers Bill was the way it would grant sweeping powers of surveillance not just to genuine security authorities, but effectively to every jobsworth in the country. And lo! so it has proved. Here’s a fascinating Telegraph report on the latest abuse.

A council has used powers intended for anti-terrorism surveillance to spy on a family who were wrongly accused of lying on a school application form.

For two weeks the middle-class family was followed by council officials who wanted to establish whether they had given a false address within the catchment area of an oversubscribed school to secure a place for their three-year-old.

The “spies” made copious notes on the movements of the mother and her three children, who they referred to as “targets” as they were trailed on school runs. The snoopers even watched the family home at night to establish where they were sleeping.

In fact, the 39-year-old mother - who described the snooping as “a grotesque invasion of privacy” - had held lengthy discussions with the council, which assured her that her school application was totally in order.

Poole borough council disclosed that it had legitimately used the Regulation of Investigatory Powers Act (RIPA) to spy on the family.

Ludicrously, the Council is correct. See here for a pdf of some of the snoopers’ logs.

From The Register…

Phorm has admitted that it deleted key factual parts of the Wikipedia article about the huge controversy fired by its advertising profiling deals with BT, Virgin Media and Carphone Warehouse.

The tracking and ad targeting firm said in an email: “We wanted to clarify a number of inaccuracies in the Wikipedia entry on Phorm.”

As we reported yesterday, a number of Phorm-friendly edits were made to the page on Friday. The revisions were quickly reverted by a Wikipedian who argued that they made Phorm out to be “awesome and perfect”.

In an Update, the Register reports a phone call from Phorm promising to behave more sensitively in future.

From BBC NEWS…

Technical analysis of the Phorm online advertising system has reinforced an expert’s view that it is “illegal”.

The analysis was done by Dr Richard Clayton, a computer security researcher at the University of Cambridge.

What Dr Clayton learned while quizzing Phorm about its system only convinced him that it breaks laws designed to limit unwarranted interception of data…

Richard says, in part:

Phorm assumes that their system “anonymises” and therefore cannot possibly do anyone any harm; they assume that their processing is generic and so it cannot be interception; they assume that their business processes gives them the right to impersonate trusted websites and add tracking cookies under an assumed name; and they assume that if only people understood all the technical details they’d be happy.

Well now’s your chance to see all these technical details for yourself — I have, and I’m still not happy at all.

More here on the BT spokeswoman’s attempt to defend on TV the company’s covert experiment with Phorm.

From The Register…

BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year.

BT Retail ran the “stealth” pilot without customer consent between 23 September and 6 October 2006. The technology was approved, pending a further trial*.

Documents seen by The Register show that the companies used the secret profiles to target advertising at broadband customers when they visited certain popular websites.

Phorm had purchased commercial space on these websites, although their URLs are not included in the documents. The groups targeted included people interested in finance (for an Egg credit card campaign), weight loss (a Weight Watchers campaign), and jobs (a Monster.com campaign).

The technical report drawn up by BT in the wake of the 2006 trial states: “The validation was made within BT’s live broadband environment and involved a user base of approximately 18,000 customers, with a maximum of 10,000 online concurrently.

“The customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience.”

The cant implicit in that last sentence is breathtaking. But the more important question is whether BT has committed a criminal offence. Effectively all 18,000 test subjects were ‘opted-in’ without their knowledge.

BT has not answered The Register’s question, posed on Friday morning, over whether it believes intercepting and profiling the web traffic of 18,000 customers without telling them was a lawful act.

BT also refused to reveal where in the national broadband network the thousands of guinea pigs were sourced from.

One senior source in the broadband industry we spoke to was appalled by BT’s actions. “This is extremely serious,” he said. “Data protection errors are generally viewed as a potentially bad thing by the industry, but not a real threat to an ISP’s reputation. This seems like a breach of criminal law, which is much, much worse.”

Meanwhile, Don Foster, the Liberal Democrat shadow secretary of state for culture, media and sport, has written to the chairman of BT asking him to explain his firm’s secret trial of Phorm’s advertising technology last summer. And William Hague, the Conservative’s shadow foreign secretary, has written to the Department for Business, Employment and Regulatory Reform, voicing constituents’ opposition to the deals signed by BT, Virgin Media and Carphone Warehouse to spy on the web browsing of millions. It’ll be interesting to see what happens next.

If you’re thinking of signing up to a new ISP, you know which ones to avoid.

From Rory Cellan-Jones…

Facebook has unveiled what it says is a new policy on privacy. The press release says the aim is to give users more control over the information they choose to share. It goes on to explain that the two main features are “a standardized privacy interface across the site and new privacy options.”

Is that perfectly clear? Well, not entirely. What is a “standardized privacy interface” when it’s at home? The 75% of users who never bother to change their default privacy settings probably won’t care. But read on, and it seems the main change is the ability to differentiate between different groups of friends - and give them different levels of access to your information….

From BBC NEWS…

The creator of the web has said consumers need to be protected against systems which can track their activity on the internet.

Sir Tim Berners-Lee told BBC News he would change his internet provider if it introduced such a system.

Plans by leading internet providers to use Phorm, a company which tracks web activity to create personalised adverts, have sparked controversy.

Sir Tim said he did not want his ISP to track which websites he visited.

“I want to know if I look up a whole lot of books about some form of cancer that that’s not going to get to my insurance company and I’m going to find my insurance premium is going to go up by 5% because they’ve figured I’m looking at those books,” he said.

Sir Tim said he did not want his ISP to track which websites he visited.

He said: “It’s mine - you can’t have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I’m getting in return.”

The Foundation for Information Policy Research has written an Open Letter to the Information Commissioner on the legality of Phorm’s advertising system. FIPR has also issued a Press Release which says, in part:

The controversial Phorm system is to be deployed by three of Britain’s largest ISPs, BT, Talk Talk and Virgin Media. However, in FIPR’s view the system will be processing data illegally:

* It will involve the processing of sensitive personal data: political opinions, sexual proclivities, religious views, and health — but it will not be operated by all of the ISPs on an “opt-in” basis, as is required by European Data Protection Law.
* Despite the attempts at anonymisation within the system, some people will remain identifiable because of the nature of their searches and the sites they choose to visit.
* The system will inevitably be looking at the content of some people’s email, into chat rooms and at social networking activity. Although well-known sites are said to be excluded, there are tens or hundreds of thousands of other low volume or semi-private systems.

More significantly, the Phorm system will be “intercepting” traffic within the meaning of s1 of the Regulation of Investigatory Powers Act 2000 (RIPA). In order for this to be lawful then permission is needed from not only the person making the web request BUT ALSO from the operator of the web site involved (and if it is a web-mail system, the sender of the email as well).

FIPR believes that although in some cases this permission can be assumed, in many other cases, it is explicitly NOT given — making the Phorm system illegal to operate in the UK:

* Many websites require registration, and only make their contents available to specific people.
* Many websites or particular pages within a website are part of the “unconnected web” — their existence is only made known to a small number of trusted people.

The full text of the open letter is here.

From The Register…

The head of the UK government’s secret electronic spying and codebreaking agency, GCHQ, has said that his organisation’s ability to intercept conversations and messages is seriously undermined by internet-protocol (IP) communications. The digital spook’s comments may come as a blow to British and European politicians who have sworn to eradicate terrorism from the internet.

The revelations came as part of the annual parliamentary oversight report into the doings of the UK intelligence community, which was released today. The report is compiled by the specially-vetted MPs and lords of the Intelligence and Security Committee (ISC), who are allowed to review secret data and grill important mandarins from the shadowier parts of Whitehall…