Let he who maintains his own privacy throw the first stone

As a society, we continue to be in a state of conflict when it comes to data. On the one hand, we’re often outraged over regular news around data breaches, while on the other hand we think nothing about trading our identities for a chocolate bar or less, often volunteering intimate data such as medical or financial information.

Said Raj Samani in a Computer Weekly article linked to Data Protection Day.

And you know what? I think he is completely correct.

While data breaches are bad news for everyone – the companies concerned, their employees, shareholders and, most of all, those whose data was compromised, the sad truth is that us humans have double standards when it comes to our own personal information, complaining that our Telco was hacked while taking to Twitter to announce where we are, who we’re with and what we’re likely to be doing for the next three weeks and with whom.

Crazy!

But then we’ve always had an uncomfortable relationship with privacy, haven’t we?

Or at least in evaluating its worth.

Those who give up their privacy for security deserve neither.

It’s not like the privacy debate is new – we’ve been here many times before and discussions about its worth certainly pre-date the internet but, with the advent of the web, the discussions have certainly become more frequent. Or more visible at least.

Such that we are at the point where every tiny technological advance is accompanied by questions about the effect it may have on that most valuable of worthless commodities we hold so dear, only to toss away when everyone is looking.

Take fitness trackers for example.

The world and his dog wrote about the privacy concerns surrounding such devices when they first appeared on the market, noting how valuable the accompanying data could be to insurers and how the consumer could ultimately end up paying a high price for sharing their heartbeat with a server they never bothered to check the location of.

Yet no-one tossed their bands in the bin.

They just upgraded to them to watches instead.

And we were all up late at night pulling our hair out (you wondered why everyone working in InfoSec was follicly challenged, right?) when Snowden told us all what we all secretly already knew about the NSA, GCHQ, etc.

But here we are on the internet still. Business as usual.

How many of you are using a VPN? PGP? Tor?

Yeah, that’s what I thought.

So, as Data Protection Day draws to a close, I say it’s time to think.

Why do you recognise these 24 hours as significant?

Is it because you were asked to write an article about it? Or did you think reading about it was the ‘cool’ thing to do today?

Or do you genuinely care about your privacy?

If you do, remember this isn’t January the first. You don’t get to make promises you have no intention of keeping tomorrow if you want to maintain the minimal amount of privacy you still have today.

And if you are loose with your own personal information you don’t get to throw a stone next time a big data breach hits the news.

That’s only fair, right?

Smartphone shopping: “Advert to aisle 4 please”

If you’ve ever worked strange hours you may well have experienced the weirdness of late night shopping.

Navigating pallets, cages and assorted debris on the floor while staff – who are best left out of the limelight of day time trading – scurry around filling shelves is a challenge on a par with finding any kind of customer service in the dimly moonlit hours.

Survive the health and safety at work challenge though, and you’ll be rewarded with a boot load of beer and, if you’ve been especially forward in your thinking, perhaps a couple of days food too. Failing that, the garage on the way home sells Pringles, eh.

But whatever you come away with, you’ll be relieved that you weren’t followed around the store – after all, all the other people shopping at 1 am are weirdos right?

Not so fast buster… you probably were tailed, you just weren’t aware enough to notice.

After all, it wasn’t that 18 stone unwashed guy with nothing but an axe head in his basket that was watching you. It wasn’t the security guard tilting and panning his cameras as you navigated aisle 14 either.

It was your phone.

If you’d shopped during the day like sane people do, you’d have been awake enough to realise that a 3-for-2 offer display lit up in from of your favourite beverage, but only when YOU approached it.

Why?

Because retailers are becoming increasingly interested in the next logical step up from loyalty cards – they not only want to know who you are and what you buy, they also want to know whereabouts you are in the store.

Ostensibly a way of encouraging extra sales and thus ‘helping’ the customer, such technology has to be kept in check though.

Even though it has some benefits, such as helping add more to a customer’s trolley, crowd control and retail buying decisions, it also has the potential to infringe upon consumers’ privacy if not reigned in with checks and balances.

As Dr Simon Rice, Group Manager for the Technology team which provides technical expertise to the ICO, says:

When this type of technology is used to generate aggregate statistics about daily visitor numbers or to generate an alert if an area is overcrowded, it can be done in a privacy-friendly manner.

But…

Even if the identification of individuals is not the intended purpose, the implications of intelligent video analytics for privacy, data protection, and other human rights are still significant.

Rice offered up a list of recommendations to help tackle the potential privacy issues caused by this type of tech, highlighting how the key point was transparency – individuals should not be kept in the dark when it comes to having their data collected. Likewise they should be informed how that data will be used.

Whether the thought of retail tracking enthrals or enrages you, its here to stay. If you don’t believe me, just take a look at the US where its been prevalent for some time now, along with its fair share of privacy issues.

Dazzling Windows 10 stats, but where did the data come from?

At the beginning of the week, Microsoft pushed a blog post out in which it heralded the amazing success of Windows 10 (it’s biased, don’t you know).

privacy1

If you haven’t already seen it, the article details the following achievements earned by the new operating system:

  • More than 200 million devices globally are running Windows 10
  • Of those , 40% became active on are after the recent Black Friday sales
  • Adoption of Windows 10 is outpacing all other Microsoft operating systems of years gone by (up 140% on Windows 7 and, surprise, surprise, up 400% on Windows 8 uptake)
  • Windows 10 users spent a combined 11 billion hours on their devices in December 205
  • Cortana has been questioned 2.5 billion times since Windows 10 was launched
  • The accompanying web browser – Edge – was responsible for 0.71 billion hours of surfing in the last month of last year
  • The operating system’s photo application has been used to view some 82 billion pics
  • Windows 10 slackers have spent over 4 billion hours playing games
  • Bing has seen an increase in search volume of 30% (so that’s 4 people a day now, huh?)
  • Windows 10 PCs have been used to stream over 6.5 billion hours of Xbox One gaming

Perhaps brought about by the company’s own warnings over previous favourite, Windows 7, the figures are pretty awesome, wouldn’t you agree?

But how has Microsoft been able to collate such a hefty range of figures that you would not expect to be readily available?

privacy2

The answer, it seems, lies in user data shared with the software giant, which begs the question: does Windows 10 present a privacy concern to all those people who chose, or will soon be compelled, to adopt the successor to Windows 8.1?

According to Martin Brinkmann of Ghacks:

“The statistics indicate that Microsoft may be collecting more data than initially thought.

While it is unclear what data is exactly collected, it is clear that the company is collecting information about the use of individual applications and programs on Windows at the very least.

The real question is how fine grained the data collecting actually is. For instance, is Windows 10 recording what users do in Edge or the actual questions that individual users ask Cortana?

Microsoft says it is collecting data only to help it make Windows 10 a better experience for users, and I for one have no reason to doubt that, but some of the figures do leave me pondering just what the company is keeping tabs on and in how much detail.

It would also be nice to be given the option to share nothing whatsoever with the Redmond company, though there is much you can do to limit the amount of data it can grab.

But, as of now, answers and complete solutions are in short supply, which may go some way in explaining why my PC has been relegated to gaming duties and everything else I do is now via a far more fruity operating system.

What are your views though, are you bother about how much Microsoft knows about your Windows 10 usage?

Is Dublin Airport recording your phone data?

Hmmm… interesting question, and one many of you may have in mind as you pass through the airport on your way to and from IRISSCON later this week.

The query in question came about following a piece in the Irish Independent about a man who ‘erroneously’ carried a sharp-bladed implement onto a plane.

As part of that write-up, author Emaa Jane Hade wrote:

The DAA [Dublin Airport Authority] uses an “automated technology” system to ensure passengers spend no longer than half an hour in the queue for security checks.

It is understood this ­technology tracks the length of time that passengers carrying Bluetooth- and wifi-enabled devices spend in the queue.

A member of the security team at Dublin Airport revealed there are sensors placed in the roof of the security area that record the time the device and the passenger enters and leaves the queue.

Interesting.

On the face of it, a quick run through security checks may sound appealing, though perhaps slightly less so right now in the wake of the Paris attacks, but what does it mean for passenger privacy?

If you have Wi-Fi or Bluetooth switched on, which I guess many travellers probably do, at least up until the point where they board the aircraft, then Dublin Airport has the capability to track your devices through either or both, irrespective of whether they are actually connecting to anything or not.

And that obviously relates not only to your mobile phone but also your smart watch, tablet, fitness tracker, etc.

The corresponding Wi-Fi and/or Bluetooth MAC address will be hoovered up and, under normal circumstances, both will act as a sort of fingerprint on account of the fact that they are unique to every device.

With that information, the airport can track passengers in much the same way some shops already do, building profiles of where they go.

Given the size of the airport and the relative lack of shopping facilities, it doesn’t appear to be that big a deal but Dublin Airport caters for a large volume of traffic each year, and we know how security services are attracted to bulk data like bees to honey.

Again, possibly not too much for the average passenger to become overly concerned about but there is still an important question at the heart of all this: when did Dublin Airport ask permission to collect this data in the first place?

According to the DAA, the data it collects is not “personal” even though it is obviously personally identifying, and is used only to:

measure and check queue/dwell times at the airport, and the only parties who have access to the data are DAA and the company which operates the system.

Fortunately, the airport appears to be listening though, recently saying that it is in the process of upgrading its system to encrypt collected MAC addresses in such a way that they won’t be able to be linked back to the original MAC address.

Sounds good… but, once again, when and where did Dublin Airport reveal it was collecting such data in the first place?

The answer to that question is something I cannot find.

Microsoft Transparency Report details takedown requests

Ever since Edward Snowden told us what we already secretly knew – namely that our governments are more than a little keen to know what we get up to online – tech companies have been keen to keep us in the loop via annual transparency reports.

Yesterday, for the first time, Microsoft joined in the fun by publishing its own list of statistics, detailing content removal requests both from private individuals and from governments.

Microsoft Transparency Report

While the total figures quoted are laughably small in comparison to similar disclosures made by Google, they do offer some interesting insight into who is looking to protect their privacy/has something to hide/wants to know what you have to hide.

For instance, in the first six months of 2015 the company received 759 link removal requests from Germans wishing to exercise their ‘right to be forgotten’ under the 2014 ECJ ruling that affords a person the right to have inaccurate or outdated information about them removed from search engine results pages.

Of the total of 3,546 such requests it received, the second highest total of 559 came from Brits who were looking to have content removed primarily from Bing, as well as OneDrive, MSN and Bing Ads.

Microsoft says it has complied with around half of the requests it received.

As far as government requests go, China asked for way more links to be removed than any other country – 165 – which is perhaps no surprise given the regime of censorship to be found in that region.

By way of comparison, the UK government only asked for two links to be dropped, as did Russia. The Americans asked Microsoft to remove 11 links while Germany made the same request in respect of just 5 links. That’s out of a total of 186 requests made during the period.

As you may imagine, the figures aren’t quite so small when it comes to law enforcement and government requests for information about users of Microsoft’s services.

In all, the company received some 35,228 requests for data in the first six months of 2015, a slight rise over the preceding 6 month period, it said.

Of those, only 3% led to the handing over of content or other data as Microsoft stressed it only ever responds to a valid court order or warrant, a point strengthened by the news that the company turned away twice as many requests (4,383) as last year (2,342) for failing to comply with legal requirements.

Overall, however, the company did hand over subscriber or transactional data in response to 67% of the government requests it received.

Interestingly, though, the report shows how 16% of data requests were unable to be fulfilled as no data was actually found.

Describing its new Transparency Report as version 1.0, Microsoft said:

We also expect that our new Microsoft Transparency Hub will continue to evolve as we gather here reports on a variety of other topics and seek to provide our customers with a better understanding of how Microsoft works to improve transparency about these types of requests and about our own activities around the world.

Facebook Exec to other companies – ‘Privacy will cost you’

If the Irish Data Protection Commissioner orders Facebook to suspend data transfers from Europe to the US, the cost to US multinationals could run into the billions.

Or at least that is the view of a senior Facebook executive who wished to remain anonymous.

Quoted by Ledger Gazette, the official said:

It would be very expensive to divide out data so that it’s stored only in Europe. We would have to build new data centres [in Europe]. We would probably also have to halt some product development while we rethink the architecture of how the data was stored and dealt with.

Even before the recent Safe Harbor ruling, Facebook had announced plans to build a new €200m data centre – its second in Europe (the other is in Sweden) – in County Meath, a move echoed by Google which has also recently unveiled plans for an Irish data centre with the announcement of a €150m project in Dublin.

Both firms may be feeling quite chuffed with themselves over such a decision now that the European Court of Justice (ECJ) has told the Irish Data Protection Commissioner to take another look at a case concerning the privacy of European users’ Facebook data stored in the US.

Contrary to the views of ex-Commissioner Billy Hawkes, the ECJ said the post-Snowden realisation that US authorities were engaging in mass surveillance of data, including the personal information of European citizens, stored by Facebook and other companies, meant the Irish regulator may now need to “suspend” the transfer of data published on the social network where that transfer would take the data outside of Europe and onto US servers.

Irish regulator Helen Dixon is unlikely to conclude an investigation into the case until late next year but, even so, the unnamed executive warned that the ‘wrong’ decision could prove both costly and difficult to comply with, especially as existing ‘backup’ data centres are currently located in many different countries around the world:

We store several copies of each photo uploaded to Facebook in several different data centres in case one site goes down.

Facebook is a free service. That’s a lot of added new cost for a free service.

Of course the Safe Harbor agreement won’t suddenly force Facebook offline overnight – there are a number of temporary measures it can employ, such as gaining user consent to carry on as is – but things may change as the ECJ adds clarification in the future.

For its part, the European Court of Justice ruling that US mass surveillance undermined the fundamental privacy rights of European citizens could affect as many as 4,400 companies, including Apple, Google, Microsoft and other organisations primarily doing business in the technology sector.

Though Max Schrems, whose action led to the case appearing before Europe’s highest court, says the consequences of the ruling will have little effect on consumers, the potential costs added to affected company’s bottom lines will have to be borne somewhere.

So it is quite possible that user experience will be affected, though not in terms of surfing speeds or product availability. The experience may instead be altered by the additional costs of European data centres, paid for by the increasing price of goods and services they provide.

Except, perhaps, in the case of those companies that offer their services for free. They have an entirely different business model which allows them to make their money in an altogether different fashion, via a product close to home.

Can you guess what that product is?

Leaky NHS health apps removed amid privacy concerns

The UK’s National Health Service (NHS) has had to remove several of its own health apps from its library after researchers discovered they were putting users’ privacy at risk.

The affected apps, part of NHS England’s Health Apps Library, were found to be sending unencrypted personal and medical information over the internet.

The privacy blunder was discovered by researchers from Imperial College London who first contacted NHS officials in April to express concern over how some apps were handling data.

Kit Huckvale, a PhD student at the college, told the BBC that the findings were not altogether dissimilar to what they had found in other health apps but the fact that they had all supposedly been vetted and approved by the NHS was “surprising”.

Huckvale, the lead researcher, said man in the middle attacks were used to analyse 79 apps over a period of six months in 2013.

Of those, 70 transmitted data over the internet and 38 had a privacy policy in place which did not disclose what information would be sent. Furthermore, 23 apps transmitted personal information without encryption and 4 also passed medical data with the same lack of protection in place.

Commenting on the findings, Huckvale said:

Our study suggests that the privacy of users of accredited apps may have been unnecessarily put at risk, and challenges claims of trustworthiness offered by the current national accreditation scheme being run through the NHS.

The results of the study provide an opportunity for action to address these concerns, and minimise the risk of a future privacy breach.

The report into apps aimed at smokers, drinkers and those wishing to lose weight, comes at a time when the UK government says patients could soon be able to access their medical records via their smartphones – earlier this month the Health Secretary, Jeremy Hunt, said his ambition was to get 15% of NHS patients routinely reading and adding to their online medical records using smartphone apps within the next year – and the NHS looks to increase the use of apps as an additional support mechanism for patients.

Responding to the BBC’s story, a spokesman for NHS England said:

We were made aware of some issues with some of the featured apps and took action to either remove them or contact the developers to insist they were updated.

A new, more thorough NHS endorsement model for apps has begun piloting this month.

While health data is a high value commodity – can you imagine its worth to an insurance company? – personal information can often be far more valuable, though many people do not realise that until it’s too late and their identity has been stolen, or their details used against them for other types of fraud.

So, with that in mind, this story should hopefully serve as a wake-up call to any company that puts apps out in the marketplace, whether developed in-house or by a contractor.

With the appetite for smart devices and the apps that run on them remaining high, the temptation to put something out there quickly may be hard to resist. But stop. And think. Has your developer followed good security practice? Have they considered how the app will handle and transmit personal data?

And have you thought about the possible legal implications of offering an app that transmits personal or, heaven forbid, medical data, in an unencrypted format?

Coming, ready or not – Windows 10, the operating system that wants to be wanted

If you were running a PC on Windows 7 through 8.1 a while back you may have become excited in the run-up to the release of Windows 10, what with the free upgrade and all.

If you were lucky, or persistent enough to cope with a multitude of problems, then you could have been among the early adopters who transmuted a reserved copy into the real deal at or soon after its release date.

Windows 10

Not everyone was so keen though – I myself only have Windows 10 installed on one of a few machines at my disposal because, well, being an earlier adopter with Microsoft is never a good idea, is it?

Especially with the new auto-updates and all.

I’d rather wait to upgrade the other machines in my house – my kids computers – because if there are any gremlins in the system then I’m the first and last line in tech support, a job that seemingly never ends as it is.

So, simple solution thought I – don’t even reserve a copy on their machines. After all, its going to be free for a year so plenty of time available to get it installed at a later date.

But…

“Dad, I’ve run out of room on my computer”.

Oh, that’s strange, I wonder why?

Ah…. a hidden directory named $Windows.~BT. Hmmm…. that sounds familiar…. I remember seeing that when I was messing around with my installation of Windows 10. Curious.

So why is there 4.2 GB of unwanted operating system on my daughter’s computer?

Oh, and hang on, why is it asking to be installed?

Curiosity may have killed the cat but in my house it’s a far more dangerous affair – now the kids want 10. And they want it now.

According to the Inquirer, Microsoft says it’s a deliberate thing – Windows 10 wants to be found, in much the same way a certain gold band felt a compulsion to be picked up after the fall of Isildur:

For individuals who have chosen to receive automatic updates through Windows Update, we help upgradable devices get ready for Windows 10 by downloading the files they’ll need if they decide to upgrade.

When the upgrade is ready, the customer will be prompted to install Windows 10 on the device.

Thanks a bunch Redmond!

Now I’m left with a difficult choice – do I say no to my kids (my daughter will socially engineer me away from that course of action unless I stand extremely resolute in the face of extreme cuteness mixed with a dash of petulance and a sprinkling of A-star drama ability) or do I say yes and open up the can of worms that surrounds the latest operating system and its propensity to mimic E.T. and phone home just about all of the time?

Decisions, decisions.

Either way, there is going to be a conversation about privacy in my house tonight (security has already been done to death).

How do you feel about Windows 10? Are you annoyed by the privacy settings, aggravated by the compulsory updates (or pleased about that) or frustrated about how it wants to force itself upon the unwary like the new kid in school who is desperate to make a new friend?

Journalists arrested on terrorism charges after using encryption software

Terrorism = bad.

Encryption = good.

Turkey = confused?

Three journalists, including two Brits, have been arrested in Turkey and charged with “engaging in terrorist activity” because one of the men used encryption software.

Speaking to Al Jazeera, a senior Turkish official said the crypto on one of the journo’s computers was the same as that used by some members of the Islamic State of Iraq and the Levant (ISIL):

The main issue seems to be that the fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications.

The official, who demanded anonymity in return for their statement, did not elaborate on just what constituted ‘complex encryption’ but current thinking suggests it may be nothing more than The Onion Router (TOR) or even PGP email encryption software, both of which are used by security professionals and others on a regular basis.

The correspondent, cameraman and fixer, who is a Turkey-based Iraqi, were all arrested in Diyarbakir (south east Turkey) last Thursday.

According to The Guardian, the journalists were covering “recent clashes between Turkish security forces and the Patriotic Revolutionary Youth Movement, the youth wing of the outlawed Kurdistan Workers’ Party (PKK).”

Whether there is any truth in the terrorist claims levied against them remains to be seen, but the case does show that governments have the potential to become at least a little twitchy when faced with systems they cannot easily monitor.

Just like David Cameron, Turkey (my parents live there) has a deep interest in monitoring the use of encryption, as well as keeping tabs on the internet and other invasions of personal privacy.

Censorship is also a big deal, especially where negative commentary of the government or, especially, President Erdogan is concerned. Last year, for example, the authorities banned Twitter for a while after citizens took to the social network to complain about alleged corruption among high-ranking officials.

Other major services, such as Facebook and YouTube, have also come under the spotlight with the PM saying both could be closed for “privacy violations” in the future in what many saw as a thinly veiled threat against sites hosting anti-government content.

In the meantime, three members of the Vice News team remain in detention, possibly because they were reporting on an issue deemed sensitive by the Turkish government.

Encrypted communication is good. For some, such as missionaries and aid workers, it is essential, given the nature of the areas they are working in.

The same could also be said for journalists though not, perhaps, those tasked with reporting from within Turkey!

The death of tin foil? New anti-facial recognition tech set to launch in 2016

Security, security, security.

I love it, you need it, many people are talking about it. I could talk about it all the time.

But in this day and age there is another important topic coming up on the rails: privacy.

Prior to, but especially since, Edward Snowden came onto the scene, people have become increasingly aware of how their privacy is being invaded, both online and off.

I’m sure you’re all aware of the online issues – the actions of the NSA, GCHQ, et al., have been widely publicised – but what about in real, every day life?

Have you seen the roadside cameras designed to ‘improve safety’ by flinging fines at every speeding motorist? Or the CCTV cameras in your local shopping centre? Do you realise the UK has the most video surveillance per capita anywhere in the world?

If so, you may have already taken precautions. After all, the solution has been around for over a century:

tin foil

But if you’re slow to the party, then a new piece of tech may be of interest.

Designed by the National Institute of Informatics (NII) in Japan, Privacy Visor is for the discerning customer who cares about their civil liberties.

Equipped with special lenses, the £240 visor reflects and absorbs light in a way that thwarts security cameras which would otherwise engage facial recognition tactics to id the wearer.

Due to go on general sale next year, researchers suggest it is effective around 90% of the time.

IT World quotes NII researcher Isao Echizen who thinks the new device is rather nifty:

This is a way to prevent privacy invasion through the many image sensors in smartphones and other devices that can unintentionally photograph people in the background.

Speaking to The Wall Street Journal, Echizen gave a bit more detail as to why he thinks Privacy Visor could be the must-have gadget of next year, explaining how “We are often told not to unveil our personal information to others, but our faces are also a type of an ID. There should be a way to protect that”.

The latest device is a successor to prototypes first mooted back in 2012 which utilised 11 LED lights which could prevent facial recognition tech from identifying that a subject was even a person.

That early iteration ultimately proved to be unwieldy though, not to mention garish, and so the new, far more sylish model was born.

Whether it proves to be popular among privacy advocates or as derided as Google’s antithesis – Glass – remains to be seen.

So, will you be buying a pair for yourself, or perhaps as a present for the man who has to have every new gadget?

Or will you stick with the old tin foil?