Is Dublin Airport recording your phone data?

Hmmm… interesting question, and one many of you may have in mind as you pass through the airport on your way to and from IRISSCON later this week.

The query in question came about following a piece in the Irish Independent about a man who ‘erroneously’ carried a sharp-bladed implement onto a plane.

As part of that write-up, author Emaa Jane Hade wrote:

The DAA [Dublin Airport Authority] uses an “automated technology” system to ensure passengers spend no longer than half an hour in the queue for security checks.

It is understood this ­technology tracks the length of time that passengers carrying Bluetooth- and wifi-enabled devices spend in the queue.

A member of the security team at Dublin Airport revealed there are sensors placed in the roof of the security area that record the time the device and the passenger enters and leaves the queue.


On the face of it, a quick run through security checks may sound appealing, though perhaps slightly less so right now in the wake of the Paris attacks, but what does it mean for passenger privacy?

If you have Wi-Fi or Bluetooth switched on, which I guess many travellers probably do, at least up until the point where they board the aircraft, then Dublin Airport has the capability to track your devices through either or both, irrespective of whether they are actually connecting to anything or not.

And that obviously relates not only to your mobile phone but also your smart watch, tablet, fitness tracker, etc.

The corresponding Wi-Fi and/or Bluetooth MAC address will be hoovered up and, under normal circumstances, both will act as a sort of fingerprint on account of the fact that they are unique to every device.

With that information, the airport can track passengers in much the same way some shops already do, building profiles of where they go.

Given the size of the airport and the relative lack of shopping facilities, it doesn’t appear to be that big a deal but Dublin Airport caters for a large volume of traffic each year, and we know how security services are attracted to bulk data like bees to honey.

Again, possibly not too much for the average passenger to become overly concerned about but there is still an important question at the heart of all this: when did Dublin Airport ask permission to collect this data in the first place?

According to the DAA, the data it collects is not “personal” even though it is obviously personally identifying, and is used only to:

measure and check queue/dwell times at the airport, and the only parties who have access to the data are DAA and the company which operates the system.

Fortunately, the airport appears to be listening though, recently saying that it is in the process of upgrading its system to encrypt collected MAC addresses in such a way that they won’t be able to be linked back to the original MAC address.

Sounds good… but, once again, when and where did Dublin Airport reveal it was collecting such data in the first place?

The answer to that question is something I cannot find.

Microsoft Transparency Report details takedown requests

Ever since Edward Snowden told us what we already secretly knew – namely that our governments are more than a little keen to know what we get up to online – tech companies have been keen to keep us in the loop via annual transparency reports.

Yesterday, for the first time, Microsoft joined in the fun by publishing its own list of statistics, detailing content removal requests both from private individuals and from governments.

Microsoft Transparency Report

While the total figures quoted are laughably small in comparison to similar disclosures made by Google, they do offer some interesting insight into who is looking to protect their privacy/has something to hide/wants to know what you have to hide.

For instance, in the first six months of 2015 the company received 759 link removal requests from Germans wishing to exercise their ‘right to be forgotten’ under the 2014 ECJ ruling that affords a person the right to have inaccurate or outdated information about them removed from search engine results pages.

Of the total of 3,546 such requests it received, the second highest total of 559 came from Brits who were looking to have content removed primarily from Bing, as well as OneDrive, MSN and Bing Ads.

Microsoft says it has complied with around half of the requests it received.

As far as government requests go, China asked for way more links to be removed than any other country – 165 – which is perhaps no surprise given the regime of censorship to be found in that region.

By way of comparison, the UK government only asked for two links to be dropped, as did Russia. The Americans asked Microsoft to remove 11 links while Germany made the same request in respect of just 5 links. That’s out of a total of 186 requests made during the period.

As you may imagine, the figures aren’t quite so small when it comes to law enforcement and government requests for information about users of Microsoft’s services.

In all, the company received some 35,228 requests for data in the first six months of 2015, a slight rise over the preceding 6 month period, it said.

Of those, only 3% led to the handing over of content or other data as Microsoft stressed it only ever responds to a valid court order or warrant, a point strengthened by the news that the company turned away twice as many requests (4,383) as last year (2,342) for failing to comply with legal requirements.

Overall, however, the company did hand over subscriber or transactional data in response to 67% of the government requests it received.

Interestingly, though, the report shows how 16% of data requests were unable to be fulfilled as no data was actually found.

Describing its new Transparency Report as version 1.0, Microsoft said:

We also expect that our new Microsoft Transparency Hub will continue to evolve as we gather here reports on a variety of other topics and seek to provide our customers with a better understanding of how Microsoft works to improve transparency about these types of requests and about our own activities around the world.

Facebook Exec to other companies – ‘Privacy will cost you’

If the Irish Data Protection Commissioner orders Facebook to suspend data transfers from Europe to the US, the cost to US multinationals could run into the billions.

Or at least that is the view of a senior Facebook executive who wished to remain anonymous.

Quoted by Ledger Gazette, the official said:

It would be very expensive to divide out data so that it’s stored only in Europe. We would have to build new data centres [in Europe]. We would probably also have to halt some product development while we rethink the architecture of how the data was stored and dealt with.

Even before the recent Safe Harbor ruling, Facebook had announced plans to build a new €200m data centre – its second in Europe (the other is in Sweden) – in County Meath, a move echoed by Google which has also recently unveiled plans for an Irish data centre with the announcement of a €150m project in Dublin.

Both firms may be feeling quite chuffed with themselves over such a decision now that the European Court of Justice (ECJ) has told the Irish Data Protection Commissioner to take another look at a case concerning the privacy of European users’ Facebook data stored in the US.

Contrary to the views of ex-Commissioner Billy Hawkes, the ECJ said the post-Snowden realisation that US authorities were engaging in mass surveillance of data, including the personal information of European citizens, stored by Facebook and other companies, meant the Irish regulator may now need to “suspend” the transfer of data published on the social network where that transfer would take the data outside of Europe and onto US servers.

Irish regulator Helen Dixon is unlikely to conclude an investigation into the case until late next year but, even so, the unnamed executive warned that the ‘wrong’ decision could prove both costly and difficult to comply with, especially as existing ‘backup’ data centres are currently located in many different countries around the world:

We store several copies of each photo uploaded to Facebook in several different data centres in case one site goes down.

Facebook is a free service. That’s a lot of added new cost for a free service.

Of course the Safe Harbor agreement won’t suddenly force Facebook offline overnight – there are a number of temporary measures it can employ, such as gaining user consent to carry on as is – but things may change as the ECJ adds clarification in the future.

For its part, the European Court of Justice ruling that US mass surveillance undermined the fundamental privacy rights of European citizens could affect as many as 4,400 companies, including Apple, Google, Microsoft and other organisations primarily doing business in the technology sector.

Though Max Schrems, whose action led to the case appearing before Europe’s highest court, says the consequences of the ruling will have little effect on consumers, the potential costs added to affected company’s bottom lines will have to be borne somewhere.

So it is quite possible that user experience will be affected, though not in terms of surfing speeds or product availability. The experience may instead be altered by the additional costs of European data centres, paid for by the increasing price of goods and services they provide.

Except, perhaps, in the case of those companies that offer their services for free. They have an entirely different business model which allows them to make their money in an altogether different fashion, via a product close to home.

Can you guess what that product is?

Leaky NHS health apps removed amid privacy concerns

The UK’s National Health Service (NHS) has had to remove several of its own health apps from its library after researchers discovered they were putting users’ privacy at risk.

The affected apps, part of NHS England’s Health Apps Library, were found to be sending unencrypted personal and medical information over the internet.

The privacy blunder was discovered by researchers from Imperial College London who first contacted NHS officials in April to express concern over how some apps were handling data.

Kit Huckvale, a PhD student at the college, told the BBC that the findings were not altogether dissimilar to what they had found in other health apps but the fact that they had all supposedly been vetted and approved by the NHS was “surprising”.

Huckvale, the lead researcher, said man in the middle attacks were used to analyse 79 apps over a period of six months in 2013.

Of those, 70 transmitted data over the internet and 38 had a privacy policy in place which did not disclose what information would be sent. Furthermore, 23 apps transmitted personal information without encryption and 4 also passed medical data with the same lack of protection in place.

Commenting on the findings, Huckvale said:

Our study suggests that the privacy of users of accredited apps may have been unnecessarily put at risk, and challenges claims of trustworthiness offered by the current national accreditation scheme being run through the NHS.

The results of the study provide an opportunity for action to address these concerns, and minimise the risk of a future privacy breach.

The report into apps aimed at smokers, drinkers and those wishing to lose weight, comes at a time when the UK government says patients could soon be able to access their medical records via their smartphones – earlier this month the Health Secretary, Jeremy Hunt, said his ambition was to get 15% of NHS patients routinely reading and adding to their online medical records using smartphone apps within the next year – and the NHS looks to increase the use of apps as an additional support mechanism for patients.

Responding to the BBC’s story, a spokesman for NHS England said:

We were made aware of some issues with some of the featured apps and took action to either remove them or contact the developers to insist they were updated.

A new, more thorough NHS endorsement model for apps has begun piloting this month.

While health data is a high value commodity – can you imagine its worth to an insurance company? – personal information can often be far more valuable, though many people do not realise that until it’s too late and their identity has been stolen, or their details used against them for other types of fraud.

So, with that in mind, this story should hopefully serve as a wake-up call to any company that puts apps out in the marketplace, whether developed in-house or by a contractor.

With the appetite for smart devices and the apps that run on them remaining high, the temptation to put something out there quickly may be hard to resist. But stop. And think. Has your developer followed good security practice? Have they considered how the app will handle and transmit personal data?

And have you thought about the possible legal implications of offering an app that transmits personal or, heaven forbid, medical data, in an unencrypted format?

Coming, ready or not – Windows 10, the operating system that wants to be wanted

If you were running a PC on Windows 7 through 8.1 a while back you may have become excited in the run-up to the release of Windows 10, what with the free upgrade and all.

If you were lucky, or persistent enough to cope with a multitude of problems, then you could have been among the early adopters who transmuted a reserved copy into the real deal at or soon after its release date.

Windows 10

Not everyone was so keen though – I myself only have Windows 10 installed on one of a few machines at my disposal because, well, being an earlier adopter with Microsoft is never a good idea, is it?

Especially with the new auto-updates and all.

I’d rather wait to upgrade the other machines in my house – my kids computers – because if there are any gremlins in the system then I’m the first and last line in tech support, a job that seemingly never ends as it is.

So, simple solution thought I – don’t even reserve a copy on their machines. After all, its going to be free for a year so plenty of time available to get it installed at a later date.


“Dad, I’ve run out of room on my computer”.

Oh, that’s strange, I wonder why?

Ah…. a hidden directory named $Windows.~BT. Hmmm…. that sounds familiar…. I remember seeing that when I was messing around with my installation of Windows 10. Curious.

So why is there 4.2 GB of unwanted operating system on my daughter’s computer?

Oh, and hang on, why is it asking to be installed?

Curiosity may have killed the cat but in my house it’s a far more dangerous affair – now the kids want 10. And they want it now.

According to the Inquirer, Microsoft says it’s a deliberate thing – Windows 10 wants to be found, in much the same way a certain gold band felt a compulsion to be picked up after the fall of Isildur:

For individuals who have chosen to receive automatic updates through Windows Update, we help upgradable devices get ready for Windows 10 by downloading the files they’ll need if they decide to upgrade.

When the upgrade is ready, the customer will be prompted to install Windows 10 on the device.

Thanks a bunch Redmond!

Now I’m left with a difficult choice – do I say no to my kids (my daughter will socially engineer me away from that course of action unless I stand extremely resolute in the face of extreme cuteness mixed with a dash of petulance and a sprinkling of A-star drama ability) or do I say yes and open up the can of worms that surrounds the latest operating system and its propensity to mimic E.T. and phone home just about all of the time?

Decisions, decisions.

Either way, there is going to be a conversation about privacy in my house tonight (security has already been done to death).

How do you feel about Windows 10? Are you annoyed by the privacy settings, aggravated by the compulsory updates (or pleased about that) or frustrated about how it wants to force itself upon the unwary like the new kid in school who is desperate to make a new friend?

Journalists arrested on terrorism charges after using encryption software

Terrorism = bad.

Encryption = good.

Turkey = confused?

Three journalists, including two Brits, have been arrested in Turkey and charged with “engaging in terrorist activity” because one of the men used encryption software.

Speaking to Al Jazeera, a senior Turkish official said the crypto on one of the journo’s computers was the same as that used by some members of the Islamic State of Iraq and the Levant (ISIL):

The main issue seems to be that the fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications.

The official, who demanded anonymity in return for their statement, did not elaborate on just what constituted ‘complex encryption’ but current thinking suggests it may be nothing more than The Onion Router (TOR) or even PGP email encryption software, both of which are used by security professionals and others on a regular basis.

The correspondent, cameraman and fixer, who is a Turkey-based Iraqi, were all arrested in Diyarbakir (south east Turkey) last Thursday.

According to The Guardian, the journalists were covering “recent clashes between Turkish security forces and the Patriotic Revolutionary Youth Movement, the youth wing of the outlawed Kurdistan Workers’ Party (PKK).”

Whether there is any truth in the terrorist claims levied against them remains to be seen, but the case does show that governments have the potential to become at least a little twitchy when faced with systems they cannot easily monitor.

Just like David Cameron, Turkey (my parents live there) has a deep interest in monitoring the use of encryption, as well as keeping tabs on the internet and other invasions of personal privacy.

Censorship is also a big deal, especially where negative commentary of the government or, especially, President Erdogan is concerned. Last year, for example, the authorities banned Twitter for a while after citizens took to the social network to complain about alleged corruption among high-ranking officials.

Other major services, such as Facebook and YouTube, have also come under the spotlight with the PM saying both could be closed for “privacy violations” in the future in what many saw as a thinly veiled threat against sites hosting anti-government content.

In the meantime, three members of the Vice News team remain in detention, possibly because they were reporting on an issue deemed sensitive by the Turkish government.

Encrypted communication is good. For some, such as missionaries and aid workers, it is essential, given the nature of the areas they are working in.

The same could also be said for journalists though not, perhaps, those tasked with reporting from within Turkey!

The death of tin foil? New anti-facial recognition tech set to launch in 2016

Security, security, security.

I love it, you need it, many people are talking about it. I could talk about it all the time.

But in this day and age there is another important topic coming up on the rails: privacy.

Prior to, but especially since, Edward Snowden came onto the scene, people have become increasingly aware of how their privacy is being invaded, both online and off.

I’m sure you’re all aware of the online issues – the actions of the NSA, GCHQ, et al., have been widely publicised – but what about in real, every day life?

Have you seen the roadside cameras designed to ‘improve safety’ by flinging fines at every speeding motorist? Or the CCTV cameras in your local shopping centre? Do you realise the UK has the most video surveillance per capita anywhere in the world?

If so, you may have already taken precautions. After all, the solution has been around for over a century:

tin foil

But if you’re slow to the party, then a new piece of tech may be of interest.

Designed by the National Institute of Informatics (NII) in Japan, Privacy Visor is for the discerning customer who cares about their civil liberties.

Equipped with special lenses, the £240 visor reflects and absorbs light in a way that thwarts security cameras which would otherwise engage facial recognition tactics to id the wearer.

Due to go on general sale next year, researchers suggest it is effective around 90% of the time.

IT World quotes NII researcher Isao Echizen who thinks the new device is rather nifty:

This is a way to prevent privacy invasion through the many image sensors in smartphones and other devices that can unintentionally photograph people in the background.

Speaking to The Wall Street Journal, Echizen gave a bit more detail as to why he thinks Privacy Visor could be the must-have gadget of next year, explaining how “We are often told not to unveil our personal information to others, but our faces are also a type of an ID. There should be a way to protect that”.

The latest device is a successor to prototypes first mooted back in 2012 which utilised 11 LED lights which could prevent facial recognition tech from identifying that a subject was even a person.

That early iteration ultimately proved to be unwieldy though, not to mention garish, and so the new, far more sylish model was born.

Whether it proves to be popular among privacy advocates or as derided as Google’s antithesis – Glass – remains to be seen.

So, will you be buying a pair for yourself, or perhaps as a present for the man who has to have every new gadget?

Or will you stick with the old tin foil?

Toshiba Working On “Unbreakable” Encryption Tech

Asian tech firm Toshiba Corp, has grand plans for encryption – it wants to make it completely unbreakable.

The ambitious plan, which Toshiba hopes will come to fruition by 2020, will attempt to address the issue of transferring encryption keys securely in a world where even mail carriers could be engaging in espionage.

The key to Toshiba’s system is a quantum-cryptography system that will make use of photons – light particles – that will be deliverable via custom-made fiber optic cable. No internet required.

According to the Wall Street Journal,

Due to the nature of the particles, any interception or wiretapping activities on the cable would change the form of data, making any spying attempts detectable. And the one-time key would be the same size as the encrypted data, meaning there will be no repeated use of the pattern, which would make decoding without the correct key impossible, analysts say.

The company, which is better known for its TVs, laptops and computer components, will test its new quantum-cryptography system for a period of two years. If it proves to be successful, we could expect to see the company take it to market in ten to twenty years which, beyond being a long way into the future, is also a huge pita for anyone looking for an alternative to RSA and ElGamal encryptions.

Currently able to transmit photons at a distance of 100 km without a repeater, Toshiba’s experts will take the system out of its own labs and into Japan’s Tohoku University in August for further testing.

Whether the new system will prove to be the silver bullet we’re all looking for remains to be seen – as Tripwire’s Ken Westin says:

It is great to see new innovations and research focused on better methods of encrypting data, however when I hear “unbreakable encryption” or “100% secure” I immediately think of the Titanic. Making such claims in the world of security, particularly when it involves new technology is getting a bit ahead of ourselves, particularly when it will not be deployed for another decade. A component of security that is often overlooked which is critical to adoption of new security technology is usability and actual adoption of the technology.

Not only that, Toshiba also has to contend with domestic competition from NEC Corp. and other non-Japanese firms who are also looking into new types of encryption technology. Add the fact that development of such tech doesn’t come cheaply – the WSJ says Toshiba’s servers cost $81,000 a pop – and technical issues such as heat and vibration caused by far-travelling protons, and it’s hard to see the company’s dream of providing “perfect” encryption to everyone becoming a reality any time soon.

And talking of perfect, there are no guarantees that Toshiba’s system will deliver that promise either with Westin saying:

Even if new technologies are able to completely ensure the encryption of data in transit, this does not ensure that the data is encrypted at rest, so many of the challenges with securing data we see today could still exist. We will see a lot can changes over the next ten years and it’s hard to know how effective newer encryption technologies will be when they are deployed.

But what if a completely unbreakable form of encryption was developed?

How would the various governments of the world react? Do you think they’d be pleased? :-)

Twitter Ye Not – Microblogging Site Blamed For ‘Endangering National Security’

Over the weekend one of the biggest stories surrounded the Sunday Times article about Edward Snowden and how his actions may have placed US and UK spies’ lives in danger. With every source for that article hiding behind the cloak of anonymity, it has been widely trashed by the security community. And probably rightly so.

But what the story did do was detract from something else of interest – a piece in the Telegraph about how one of Britain’s top cops has suggested Twitter could be ‘endangering national security’ by tipping off users who may be under surveillance.

On the back of the news that Twitter blocks two-thirds of the UK government’s requests for information, Sir Hugh Orde, former president of the Association of Chief Police Officers and Northern Ireland chief constable, said the approach of Twitter and other tech firms “needs to be addressed”.

Prime Minister David Cameron, who favours the abolition of encryption, also waded in, suggesting that social media companies have a responsibility to the safety of the British public which could only be honoured by handing over terrorism-related data whenever asked for.

Responding to a report by the government’s independent reviewer of terror laws, which claimed Twitter and others had alerted terror suspects that they were being monitored by the authorities, Orde said:

Clearly this needs to be addressed. It’s a statement of the blindingly obvious that this is endangering national security. Anyone who thinks it’s sensible to compromise investigations is acting in an extremely irresponsible way. It certainly needs to be looked at.

Adding to the wave of condemnation, Professor Anthony Glees, from the University of Buckingham’s Centre for Security and Intelligence Studies, said Twitter’s behaviour was “deeply offensive” and driven by profit:

The implication is that Twitter views itself as neutral in the fight for a decent and safe society. The people who use Twitter will be horrified. It shows the depths to which people who make money out of the lack of regulation on the internet are prepared to go.

So, I guess the question is, just how horrified are you?

Are you horrified that Twitter and other social networks don’t simply hand all of your data over to the authorities whenever they click their fingers?

Maybe you are horrified at the thought of Twitter informing people – who have not been convicted of any crime – that they are being spied upon?

Perhaps you are horrified that two online newspapers have run ‘scary’ stories within days of each other?

Or are you just horrified that the government and other authoritive figures don’t have a grasp on topics such as privacy and how the internet works as they continue to promote “The Snooper’s Charter” as the solution to a problem arguably of their own making?

Privacy And Porn Faux Pas Leaves ‘Earl Grey’ Choking On His Tea

We here at SecurityWatch believe security is important. Very important.

But, as we’ve often said, technical security can often amount to nothing when human nature gets added into the mix.

And yesterday Ars Technica provided a fine example of what we mean.

Those of you with good memories, or an interest in the certain corners of the web, may well remember how the FBI nabbed off of Kim Dotcom.

The agency subsequently lauded their new acquisition by proudly redirecting fans of the site to another page under their control, complete with a lovely bureau banner.


All good things come to an end though, and that includes the registration of the domain.

Normally a business owner, or dedicated member of staff, would be highly alert to such a happenstance – after all, most hosts are hardly bashful when it comes to sending reminders out – but, in this case, something went wrong and the domain was put up for auction by GoDaddy.

Enter a British ex-pat adorned with a suitably nationalistic name: Earl Grey.

A self-styled “black hat SEO marketer,” Earl Grey swiped the domain up, presumably hoping to profit from the undoubted popularity and brand awareness it still carries, not to mention traffic.

As senior GoDaddy security architect Scott Gerlach says:

Once the domain is transferred, DNS records don’t move with domain. The new domain holder could have scraped all the DNS records, and then recreated them and monkeyed with the ones he wanted to change. He would have had to recreate all the entries; there are some tools out there that allow you to guess DNS entries and scrape the info. He would have had to know what he was doing to make it happen—it’s not technically easy to do, but doable.

Irrespective of what actually happened – and I don’t think anyone other than Earl Grey and GoDaddy have any answers right now – the domain ultimately ended up serving “porn, drugs, malware & ad scams,” according to Kim Dotcom.

Imagine if that was your corporate website?

The amount of security in place would be largely irrelevant if someone let the domain name expire and, hence, end up under someone else’s control, wouldn’t it?

But there is a twist in this tale for Earl Grey.

No matter what he may or may not have done with the Megaupload domain he did, in many respects, become a victim himself.

A week after the domain expired the FBI finally realised and contacted GoDaddy. Gerlach explained that:

We got a notice of an ongoing criminal investigation regarding malware distribution, which lead to a Terms of Service violation and domain suspension.

Which basically means that the domain was frozen. I’m not sure whether that means Earl Grey will be entitled to a refund on the purchase price but one thing that’s for sure is that the purchase cost him his privacy.

As many website owners do, he blocked his contact details from appearing via a Whois lookup which is a sensible and advisable course of action to take.

Unfortunately, however, the suspension of the domain also took away his Domains By Proxy coverage, revealing all manner of personal info to anyone who cared to look for it.

Not that we needed such a disaster to befall him to find out that he lives in sunnier climes – Earl Grey likes to tweet you see, often talking about his taste in food, but also occasionally requesting assistance in the form of “an english person to be a cook/maid for a few hours a day in Marbella Center”.

I guess he didn’t value his privacy that much then, even though he does feel quite strongly about it (” I feel like I have been raped by @godaddy over my privacy. I empathize with women and men who have been raped. Violated.”)

So, what can we learn here?

There’s a few lessons, the first of which is that privacy and security issues are more often than not caused by the action/inaction of people rather than shortfalls in technology.

Secondly, if you own a website be on the lookout for domain renewal notices or at least be aware of when your registration expires – it’s no good securing a website if you let it slip out of your control.

Thirdly, are you aware of what your website is serving to visitors? I’ve seen many a derelict site that is packed full of junk and malware and the same can be said for current sites that get attacked – how often are you checking the integrity of yours?

Lastly, what are you doing to ensure your privacy? Are you hiding your contact details from the general web populace? Are members of your team then undermining that by saying too much on social media?

Food for thought, eh?