Category Archives: Privacy

Great Firewall of China (contd.)

Posted on by

Citizen Lab at the University of Toronto has just released its analysis of surveillance and security practices on China’s TOM-Skype platform. No surprises. They uncovered discovered a huge surveillance system that monitors and archives certain Internet text conversations that include politically charged words.

The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service.

John Markoff of the NYT has a report.

PDF of the Citizen Lab report available from here.

I’ve always assumed that Skype was compromised — which is why I would never use it for confidential conversations. Wonder what eBay have to say about it all?

PA sacked by Ministry of the Interior

Posted on by

From The Register

The Home Office has today terminated a £1.5m contract with PA Consulting after it lost the personal details of the entire UK prison population.

In August the firm admitted to officials that it had downloaded the prisons database to an unencrypted memory stick, against the security terms of its contract to manage the JTrack prolific offender tracking system. The data included names, addresses and dates of birth, and was broken down by how frequently individuals had offended.

Following an inquiry into the gaffe, Jacqui Smith told the House of Commons today that PA Consulting’s £8m of other Home Office contracts are now also under review. She said: “The Home Office have decided to terminate this contract. My officials are currently working with PA to take this work back in-house without affecting the operation of JTrack.”

Data handling for JTrack has been taken on by the Home Office, and maintenance and training are due in-house by December.

The inquiry found the Home Office had transferred the data to PA Consulting securely, but that the firm then dumped it to unlabelled USB memory to transfer it between computers at its premises. The stick hasn’t been found. Smith said: “This was a clear breach of the robust terms of the contract covering security and data handling.”

What took them so long?

Hurry! Get your personal data on eBay now!

Posted on by

From BBC NEWS

A computer containing a million bank customers’ personal data has reportedly been sold on an internet auction site.

The Daily Mail says an ex-worker for archiving firm Graphic Data sold it for £35 on eBay without removing sensitive information from the hard drive.

The Royal Bank of Scotland (RBS) and its subsidiary, Natwest, have confirmed their customers’ details were involved.

RBS said Graphic Data had told it the PC had apparently been “inappropriately sold on via a third party”.

It said historical information relating to credit card applications for their bank and others had been on the machine.

The information is said to include account details and in some cases customers’ signatures, mobile phone numbers and mothers’ maiden names.

It is thought the problem came to light when Andrew Chapman, an IT manager from Oxford, bought the computer, noticed and raised the alarm…

Thinking of taking your laptop to the US?

Posted on by

Might be worth considering this from Good Morning Silicon Valley.

If you’re looking to get outraged by a government’s intrusion into the electronic lives of its citizens, you don’t need to look all the way to China. The U.S. Department of Homeland Security recently revealed its current border policy on laptops, iPods and other gadgets carried into the country by returning travelers or foreign visitors, and it boils down to this: Without explanation, we can seize your laptop or any device capable of storing information (including cell phones, thumb drives, video tapes, and old-fashioned analog paper). We can keep it as long as we want. We can look through the contents, and we can share them with other agencies or private entities. And we can do all this whenever and to whomever we want — no reasonable cause needed, not even a vague suspicion of wrongdoing. And, of course, this is all OK because we are protecting our treasured American freedom.

Does Skype have a back door?

Posted on by

Answer: probably yes. I’ve long suspected that anyway. Now comes this interesting report from an Austrian online news site…

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary’s press spokesman was brief, “Skype does not comment on media speculation. Skype has no further comment at this time.” There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees…

I use Skype quite a lot and find it very useful for family stuff etc. But I wouldn’t use it for anything that was commercially sensitive.

Skype would be able to charge quite a hefty fee to governments for this, er, feature.

Also, I wonder how this latest speculation squares with an earlier report that I logged claiming the German police were unable to crack Skype encryption. Perhaps the Germans weren’t willing to pay Skype the required fee for entry to the back door?

Say ‘Cheese!’ for Google

Posted on by

This morning’s Observer column — about Google Street View…

In a way the issue is not whether this Google innovation is permitted or not, but the general direction we’re headed and the role Google might play in our collective future. Last week I wrote about the legal ruling which compelled Google to hand over to Viacom its computer logs of every single viewing of a YouTube video, including those by UK residents. The privacy implications of that ruling have since been mitigated by agreement that the data can be ‘anonymised’ by Google before handover. But, again, the direction is towards a world in which everything we do is monitored and logged – mostly by one company.

Google’s mission, according to its corporate website, is ‘to organise the world’s information and make it universally accessible and useful’. What we perhaps haven’t fully realised is that these guys really mean it. Their ambition is at least as megalomaniacal as Bill Gates’s vision of a computer on every desk running Microsoft software. So it’s time we started thinking about what a world dominated by Google would be like. As it happens, some people have – and they’ve been publishing the results on YouTube. Have a look — and then pour yourself a stiff drink.

First European Privacy Seal awarded

Posted on by

Here’s an interesting development — a search engine that really takes privacy seriously.

The first European privacy seal was presented today to search engine ixquick.com by the European Data Protection Supervisor Peter Hustinx on the occasion of the 30th anniversary of data protection legislation in Schleswig-Holstein.

According to the citation:

Ixquick is a meta-search engine which forwards search requests of its users to several search engines, gathers and combines their results and presents the results to the requesting users. Privacy is ensured by using several data-minimization techniques: personal data like IP addresses are deleted within 48 hours, after which they are no longer needed to prevent possible abuse of the servers. The remaining (non-personal) data are deleted within 14 days. Ixquick serves as a proxy, i.e. IP addresses of users are not disclosed to other search engines.

Hmmm… Bet that won’t appeal to the British Home Office.

Thanks to Gerard for the link.

The word on the street

Posted on by

In his Manitoba lecture, Mike Wesch mentioned a survey which suggested that 88% of the material on YouTube was original, not the copyrighted stuff the mainstream media (and Viacom) obsesses about. Here’s a great example of creative use of the platform. It’s the second of a series of four short movies about the creepier implications of Google Street View.

Thanks to Tony Hirst for spotting it.

Who’s watching what?

Posted on by

This morning’s Observer column

On 2 July, a US district judge, Louis L Stanton, lobbed a grenade into the cosy world of social networking, user-generated content and so-called ‘cloud’ computing. He ordered Google to turn over to Viacom all of its logs relating to viewing of YouTube video clips since the search engine giant acquired the video hosting site in November 2006.

That amounts to 12 terabytes (or more than 12 million megabytes) of data: each log entry records the user name and IP (machine) address of the user who viewed the video, plus a timestamp and a code identifying the clip. What the judgment means is that if you have watched a YouTube clip at any time since November 2006, a record of that will be passed to Viacom’s lawyers…

UPDATE: This from CNET:

Viacom wants to know which videos YouTube employees have watched and uploaded to the site, and Google is refusing to provide that information, CNET News has learned.

This dispute is the reason the two companies, and lawyers representing a group of other copyright holders suing Google, have failed to reach a final agreement on anonymizing personal information belonging to YouTube users, according to two sources close to the situation.