Category Archives: Privacy

Daily Mail loses personal data on employees

Posted on by

Well, well. According to this report, the Voice of Middle England isn’t too careful about keeping sensitive data secure.

Northcliffe Media, owner of the Daily Mail, is the latest company to lose a laptop load of sensitive staff information.

A laptop containing names, addresses, bank accounts and sort codes of Mail and General Trust staff has been stolen, it emerged last week. The company told staff that the laptop was password protected – and so, presumably, not encrypted.

The company confirmed to The Register that the theft had occurred and that staff had been informed. Police and the Information Commissioner were also informed.

According to the letter from Northcliffe Media sent to staff, and seen by the Reg, staff were advised to contact their bank to warn them of potential problems.

The letter, signed by group finance director M J Hindley, said:

The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen.

I can assure you that we take security of personal data very seriously and have, since this incident, which was inadvertently caused by a technical issue, already further strengthened procedures.

The company apologised for any inconvenience or annoyance caused by the theft.

I bet this won’t stop the Mail castigating the government for its casual attitude towards data security.

More on Viacom’s data-heist

Posted on by

Rory Cellan-Jones has an uneasy feeling.

The YouTube case seems to show that, despite those promises, we have no real control over our data once it is lodged on a corporate server. Every detail of my viewing activities over the years – the times I’ve watched videos in the office, the clips of colleagues making idiots of themselves, the unauthorised clip of goals from a Premier League game – is contained in those YouTube logs.

All to be handed over to Viacom’s lawyers on a few “over-the-shelf four-terabyte hard drives”, according to the New York judge who made the ruling. I may protest that I am a British citizen and that the judge has no business giving some foreign company a window on my world. No use – my data is in California, and it belongs to Google, not me.

The other troubling aspect about this case was that it was only the blogs that seemed to understand the significance of the ruling when it emerged on Wednesday night. Much of the mainstream media ignored it at first, seeming to regard it as a victory for Google, because the judge said the search firm didn’t have to reveal its source code.

“I’ve never worried too much about the threat to my privacy”, Rory continues.

I’m relaxed about appearing on CCTV, happy enough for my data to be used for marketing purposes, as long as I’ve ticked a box, and have never really cared that Google knows about every search I’ve done for the last 18 months. But suddenly I’m feeling a little less confident. How about you?

Now Viacom knows where you are

Posted on by

This is truly — as Marc Rotenberg, executive director of the Electronic Privacy Information Center put it — one of those “I told you so” moments.

For every video on YouTube, the judge required Google to turn over to Viacom the login name of every user who had watched it, and the address of their computer, known as an I.P. or Internet protocol address.

Both companies have argued that I.P. addresses alone cannot be used to unmask the identities of individuals with certainty. But in many cases, technology experts and others have been able to link I.P. addresses to individuals using other records of their online activities.

The amount of data covered by the order is staggering, as it includes every video watched on YouTube since its founding in 2005. In April alone, 82 million people in the United States watched 4.1 billion clips there, according to comScore. Some experts say virtually every Internet user has visited YouTube.

Of course Viacom swears blind that the only people who will have access to this information are its lawyers (who are working on its $1 billion copyright infringement suit against Google). But it brings one up sharply against the implications of cloud computing.

Sweden caves in to Osama

Posted on by

Osama bin Laden’s campaign to eliminate civil liberties in the West has notched up another victory — this time in Sweden, formerly a paragon of sweetness and light in these matters.

Sweden this evening voted in favour of its controversial snoop law, after the proposal was amended earlier today.

Under the new law, all communication across Swedish borders will be tapped, and information can also be traded with international security agencies, such as America’s National Security Agency.

A total of 143 members of parliament voted to pass the bill into law, with 138 delegates opposed.

Earlier today, prime Minister Fredrik Reinfeldt failed to win the backing of his four-party coalition: the draft was sent back to the committee for revision. Key members of parliament who were likely to vote against the proposition were put under pressure by their parties, according to some reports.

Despite receiving copies of George Orwell’s book 1984 from protesters earlier this week, MPs from Sweden’s ruling party believe the law does not constitute the final nail in the coffin of democracy.

Media groupthink and Mr Davis

Posted on by

Here’s a good journalistic rule: whenever you find a consensus, look out for rodent smells. When David Davis stunned the Westminster village with his resignation on Thursday, I watched and listened to most of the mainstream broadcast coverage that evening. It was scarily uniform, which didn’t square at all with my own hunch that Davis’s move is a game-changer. Which is very welcome, because it’s clear that the great British public is sleepwalking into an authoritarian nightmare and something very dramatic is needed to provide a wake-up call. My hope is that the hoo-hah which will surround the by-election might provide such a call.

It’ reassuring to find that my Observer colleague, Henry Porter, sees it the same way, not least because he was been a forceful critic of Labour’s creeping authoritarianism from the beginning. In a terrific column this morning he observes that

The political classes don’t like this sort of thing. There’s too much raw emotion involved. Like nervous prefects, they dismissed Davis as vain, egotistical, narcissistic and irresponsible. He was, said one commentator of my acquaintance, suffering from a mid-life crisis and probably knew he didn’t have the brains to be Home Secretary, which is why he had bailed out.

That very much captures what is wrong with the Westminster village, which is so consumed with the talk of power, the jockeying for power, the acquisition and loss of it, that there is very little space left in the minds of journalists and politicians for principles and ideas. Yet that was what so much of last week in the House of Commons was about. Let us not forget that the Prime Minister won 42 days pre-charge detention by buying votes from nine hard-faced men from Northern Ireland, while 36 members of his own party stood up for the fundamental freedoms of our country. This was a moral defeat, not for Labour, but for Gordon Brown.

Then the unthinkable occurred. Davis appeared like Cyrano de Bergerac with his sword drawn at St Stephen’s entrance to the House of Commons – a venue occasioned by Speaker Martin’s undemocratic refusal to allow him to address the chamber – and challenged anyone and everyone…

Like Henry, I am sending Davis a cheque and a letter of support.

Two machines are better than one

Posted on by

This morning’s Observer column

If you’ve signed up for a new web service recently, you may have noticed that a final stage of the enrolment process presents you with an indistinct image of a number of letters and numbers, often in a wavy line, and sometimes displayed against a confusing background. You are asked to identify the sequence and type it accurately into a text box. You have just encountered a Captcha…

Tweet, tweet, and, er publish

Posted on by

Interesting story

Twitter user Orli Yakuel, with 650 followers, had a nasty surprise this morning – her direct messages (private messages between two Twitter users) showed up in her normal Twitter stream (and were subsequently published to her FriendFeed account). Friends messaged her to tell her about the embarrassing issue.

In a subsequent update, the culprit was identified:

It looks like this is a problem caused by GroupTweet, a newish third party Twitter application that allows users to direct message a lot of people at once. Orli says that she tested the application earlier today, and a number of commenters are pointing out that it may be the problem. GroupTweet requires you to create a new Twitter account to use with the service, and tell it the credentials for the account. But if you accidentally enter your primary account credentials instead, it will expose your direct messages to the public. This is not a Twitter API issue as far as I can tell, it’s a problem with the fact that GroupTweet is confusing and if you make a mistake, your direct messages are made public. This is particularly an issue for non-native English users when using it. I could have very easily made this mistake when testing the application.

TechCrunch claims that the guy who wrote GroupTweet has disabled sign-ups for the time being, but I can find no mention of that on the site.

Surveillance by Javascript

Posted on by

Interesting post by Landon Fuller.

Meraki provides free wireless access throughout San Francisco, using the network name “Free The Net”. Trying out their service at a coffee shop in my neighborhood, I discovered that Meraki has adopted a location-aware advertising driven model, and are now injecting ads into every page you visit using their network. (Screen shot).

I was surprised that Meraki is adding advertising to my web site (where’s my cut?), but that’s just the beginning. Meraki is sharing your location with every site you visit.

To display their advertising, Meraki adds a small piece of JavaScript to every page:

Included in that URL is your current estimated longitude and latitude. In my case, that’s the street just outside of Cafe Reverie, where I was taking lunch — a fairly accurate reading.

This is a new twist on the cross site scripting problem — because Meraki’s script is injected directly into the site that I’m visiting, a simple piece of javascript, added by the web page’s author, can fish out your current location.

Thanks to Michael for spotting it.

City council spies on family using RIPA

Posted on by

One of the things that astonished me in 1999 when I was campaigning against the Regulation of Investigatory Powers Bill was the way it would grant sweeping powers of surveillance not just to genuine security authorities, but effectively to every jobsworth in the country. And lo! so it has proved. Here’s a fascinating Telegraph report on the latest abuse.

A council has used powers intended for anti-terrorism surveillance to spy on a family who were wrongly accused of lying on a school application form.

For two weeks the middle-class family was followed by council officials who wanted to establish whether they had given a false address within the catchment area of an oversubscribed school to secure a place for their three-year-old.

The “spies” made copious notes on the movements of the mother and her three children, who they referred to as “targets” as they were trailed on school runs. The snoopers even watched the family home at night to establish where they were sleeping.

In fact, the 39-year-old mother – who described the snooping as “a grotesque invasion of privacy” – had held lengthy discussions with the council, which assured her that her school application was totally in order.

Poole borough council disclosed that it had legitimately used the Regulation of Investigatory Powers Act (RIPA) to spy on the family.

Ludicrously, the Council is correct. See here for a pdf of some of the snoopers’ logs.

Phorm tries a spot of creative editing

Posted on by

From The Register

Phorm has admitted that it deleted key factual parts of the Wikipedia article about the huge controversy fired by its advertising profiling deals with BT, Virgin Media and Carphone Warehouse.

The tracking and ad targeting firm said in an email: “We wanted to clarify a number of inaccuracies in the Wikipedia entry on Phorm.”

As we reported yesterday, a number of Phorm-friendly edits were made to the page on Friday. The revisions were quickly reverted by a Wikipedian who argued that they made Phorm out to be “awesome and perfect”.

In an Update, the Register reports a phone call from Phorm promising to behave more sensitively in future.