Privacy | Steve Woods

Indigestible cookies

08/01/2022 Steve WoodsPrivacy, Tech

In France the Commission Nationale de l’Informatique et des Libertés (CNIL) has fined Google €150 million and Facebook €60 mn. for non-compliance with French data protection legislation, which also covers cookies.

As a result of its investigations following the receipt of complaints from members of the public, the CNIL found that the websites facebook.com, google.fr and youtube.com do not make refusing cookies as easy as to accept them and so penalised them financially. The €150 mn. fine for Google is broken down into €90 mn. for Google LLC and €60 mn. for Google Ireland Ltd.

Furthermore, the CNIL also ordered Google and Facebook to provide French-based internet users lwith a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent, within three months. If they fail to do so, the companies will have to pay a penalty of €100,000 euros per day of delay.

The problem of privacy-conscious people being put to unnecessary effort to reject cookies is widespread. For instance, when visiting a Reach plc newspaper site (Reach owns the Mirror, Express and scores of regional news titles around the country. Ed.), users who wish to reject all cookies have to work through the options; this entails four clicks of the mouse, as opposed to one to accept all cookies. The best sites have a one-click option to accept or reject all cookies.

As someone who has been using the internet since the days of dial-up modems, your ‘umble scribe has long believed rejecting cookies should be the default and those who want to accept them made to go through the same laborious process to which cookie refuseniks are currently subjected.
More comprehensive, transcendental abuse?

30/10/2021 Steve WoodsLanguage, Media, Politics, Privacy, Social Media, Tech

In the small hours of Friday morning, news came in that Facebook Inc. is to change its name to Meta, allegedly better to “encompass” what it does as it expands from social media to other sectors such as virtual reality.

Meta, from the Greek μετα-, meta-, meaning “after” or “beyond“, is a prefix meaning more comprehensive or transcending.

Whether the rebrand will involve the more dubious of Facebook’s more comprehensive or transcending business practices being extended to those new sectors remains to be seen.

Facebook was founded in February 2004 by Harvard student Mark Zuckerberg. Not long afterwards, the controversies and abuse of users started. As The Register recalled in 2010, the then 19 year-old Zuckerberg called his first few thousand users “dumb f*cks” in a private conversation with a friend.

However, even that early sign of contempt did not prevent Zuckerberg’s social media infant growing into an obese behemoth of the social media sector, with a current user (i.e. product. Ed.) base of 2.85 billion people.

Perhaps Zuckerberg is secretly delighted there are so many dumb people in the world. They’ve been paying his bills for more than one and a half decades, after all.

After those early days, Facebook’s user base grew, as did the propensity for abuse, culminating in the Cambridge Analytica data scandal. Cambridge Analytica was established in 2013 as a subsidiary of the private intelligence company and self-described “global election management agency” SCL Group by 3 long-serving SCL executives. The company offices in London, New York City and Washington, DC. Cambridge Analytica was implicated in affecting the results of the 2016 US presidential campaign, where data it hoovered up from Facebook users was used to build psychographic profiles, determining users’ personality traits based on their Facebook activity. These profiles were then used for micro-targeting voters displaying customised advertisements on various online platforms. The key point of this activity was to identify those who might be enticed to vote for Trump or be discouraged to vote for their opponent. In addition, Cambridge Analytica was allegedly hired as a consultant company for Leave.EU and the UK Independence Party during 2016 as an effort to convince people to vote in favour of the UK leaving the European Union in David Cameron’s amateurish EU membership referendum. However, the UK Information Commissioner’s official investigation found that Cambridge Analytica was not involved “beyond some initial enquiries” and the regulator did not identify any “significant breaches” of data protection legislation or privacy or marketing regulations “which met the threshold for formal regulatory action“. Cambridge Analytica cased operations in 2018 following the revelations of its privacy-busting operations, although firms related to both Cambridge Analytica and its parent firm SCL still exist.

Zuckerberg subsequently apologised for Facebook’s involvement with Cambridge Analytica, calling it an “issue“, a “mistake” and a “breach of trust“, as well as pledging not to let such abuse occur again.

Nevertheless, the abuse of users didn’t stop and have continued right up to the present.

The latest revelations come ex-employee Frances Haugen, who was employed by Facebook as a data scientist, leaked documents revealing that the company placed “profits over safety“. Since her revelations, Ms. Haugen has given evidence to a US Senate sub-committee and testified in person to a UK parliamentary committee scrutinising the online safety bill.

Reporting on the name change, The Register noted beneath its headline that Zuckerberg’s social network has “Meta-stasized“. Leaving aside El Reg’s overt reference to the former secret police of the so-called German Democratic Republic, metastasis is defined as a change of position, state, or form. The primary use of metastasis today is in medicine where it defines the development of secondary malignant growths at a distance from a primary site of cancer.

Finally, as a further dampener on the rebrand’s distraction value, a report in today’s Guardian reveals that Meta translates as dead in Hebrew.

Have fun in Zuck’s metaverse, y’all! 😀
Anonymity and hypocrisy

20/10/2021 Steve WoodsPolitics, Privacy, Social Media

Priti Patel, inexplicably promoted beyond her competence (i.e. unfit to clean a public office, let alone fill one. Ed.) by part-time alleged prime minister Alexander Boris de Pfeffel Johnson to Home Secretary, announced her latest authoritarian measure last Sunday; this time mis-targeted at reducing online harassment and abuse on social media.

Reporting on her appearance on Sky’s Trevor Phillips on Sunday, The Independent writes:

Ms Patel indicated she is considering going a step further by requiring sites such as Facebook or Twitter to retain details of the identities of people posting material which could be handed over to police investigating crimes.

Needless to say Patel’s announcement of the proposed slap of firm government has gone down well with the more right-leaning members of the British establishment, one of whom took to the very same social media to become a cheerleader for repression.

Lance who?

At this point someone steps forward with no style at all and inserts his foot firmly between his teeth, namely Mr Lance Philip Forman, educated at Haberdashers’ Aske’s Boys’ School and Trinity College, Cambridge. However, this scion of the British establish is better known as a former Brexit Party MEP, as well as the owner of London-based salmon smokers H. Forman and Son.

Forman is not backwards in coming forward to support Priti Patel’s proposal to ban social media anonymity, tweeting:

Excellent. Anonymity should be removed from social media.
However,and it’s a substantial however too, Mr Forman’s support for the alleged home secretary’s anonymity proposal comes with a large helping, not of smoked salmon but cordon bleu grade hypocrisy.
Use quick internet search on Mr Forman quickly turns up his Wikipedia page, which just happens to mention the following information which does not lend support to his stance:

Lance Philip Anisfeld (born 13 October 1962), known professionally as Lance Philip Forman, is a British politician and businessman,…

Known professionally as… Isn’t that the same as concealing one’s true identity which is not too far removed from hiding behind anonymity? 😉
Reasons to be fearful

16/09/2021 Steve WoodsPolitics, Privacy, Social Media, Tech

As your ‘umble scribe writes this post, part-time alleged prime minister Alexander Boris de Pfeffel Johnson is now on day two of an extensive reshuffle of government ministers.

His first cabinet was chosen more for loyalty to Brexit than for talent and included some who had done a complete 180-degree turn on their pre-referendum stance in order to climb the greasy pole of political ambition.

The latter include the singularly untalented Liz Truss (whose biggest achievement as Trade Secretary was copying and pasting new copies of pre-existing EU trade agreements with third countries so they could continue in effect in a post-Brexit context. Ed.), who can now carry on filling in the ministerial My First Foreign Secretary’s Colouring Atlas where Dominic Raab left off, following the latter’s demotion to Justice Secretary.

The singularly unattractive Priti Patel remains as Home Secretary. The less said about that the better.

However, given the shallowness of the Tory talent pool, the most surprising appointment of the first day of Johnson’s rearranging the deckchairs on the Titanic was his appointment of Nadine Dorries as Secretary of State for Digital, Cultural, Media and Sport. Nadine was put on Earth to demonstrate that potatoes are more intelligent beings than the Rt. Hon. Member for Mid Bedfordshire.

Part of the fragrant Nadine’s brief includes all things digital, including the minor matter of IT security. To gain an insight into the new Secretary of State’s attitude to this subject, I refer readers to 2 Dorries tweets from 2017.

Cavalier doesn’t quite describe such an attitude to basic security and privacy.

Then there’s the whole question of gravitas – a necessary pre-requisite for public office, not that you’d know it with Bozo the Clown’s appointments.

A quick glance across the English Channel and North Sea to 2 European counterparts reveals some startling contrasts. Besides being French Culture Minister, present incumbent Roselyne Bachelot is an opera fan who has written a well-regarded work on Verdi. Monika Grütters, Germany’s Culture Minister was a university lecturer before entering politics and is still an honorary professor at Berlin’s Free University. On the other hand, Dorries’ biggest claim to fame (after her fiddling expenses) is eating ostrich anus on a so-called reality television show.
Tor Browser squashes user tracking bug

12/07/2021 Steve WoodsOpen Source, Privacy, Tech

The Tor Project has updated its browser after the discovery of a bug with more than dangerous repercussions for user privacy. URLs based on onion services version 2 should migrate to version 3 before September 2021.

A recent update of the Tor Browser to version 10.0.18 has enabled several bugs to be corrected, including a rather serious vulnerability for users, French IT news site Le Monde Informatique reports. As a matter of fact, this bug, which is based on version 2 of its onion services, enabled some sites to track users from the applications installed on their devices.

Tor Browser running on Ubuntu Linux. Image courtesy of Wikimedia Commons.

The vulnerability tracked users via their browsers, enabling any website or government to discover a user’s actual IP address, which is contrary to the basic principle of the Tor project. URLs actually benefit from a security gain with version 3 of onion services. This is due to the fact that they use “cleaner” code with stronger cryptography which is proving to be less susceptible to brute force attacks due to its complexity.

URLs under onion services V2 no longer supported from 15 July

The project also announced it would start to deprecate URLs under onion services version 2 by initially advising the operators and clients that access them. With effect from 15 July, Tor will no longer support V2 URLs V2 and support for them will be removed from the browser codebase.

So as to ensure that each user and website administrator is well aware of this change, a message will be displayed “when visiting sites which are still using V2 URLs advising they will shortly be deprecated and the site will be inaccessible unless it is updated to version 3 of onion services“.
American Express? That won’t do nicely!

21/05/2021 Steve WoodsLanguage, Media, Privacy, Tech

Yesterday the Information Commissioner’s Office (ICO) reported that it had fined American Express Services Europe Ltd. (Amex) £90,000 for sending four million unlawful, unsolicited marketing emails.

IT news site The Register has done some number crunching and worked out that the fine imposed by the ICO is equivalent to 0.021p per offending email or 0.009 per cent of Amex’s annual profits.

The regulator instigated investigations after receiving complaints from American Express customers who had specifically opted out of receiving marketing information. During its investigation the ICO found that American Express had sent over 50 million so-called “servicing emails” to customers (which anyone sensible would call spam. Ed.). The ICO revealed that between 1st June 2018 and 21st May 2019, over 4 million of those emails were marketing emails, designed to encourage customers to make purchases on their cards, thus benefiting the company financially.

Andy Curry, the ICO’s Head of Investigations said:

This is a clear example of a company getting it wrong and now facing the reputational consequences of that error.

The emails in question all clearly contained marketing material, as they sought to persuade and encourage customers to use their card to make purchases. Amex’s arguments, which included, that customers would be disadvantaged if they weren’t aware of campaigns, and that the emails were a requirement of its Credit Agreements with customers, were groundless.

Our investigation was initiated from just a handful of complaints from customers, tired of being interrupted with emails they did not want to receive. I would encourage all companies to revisit their procedures and familiarise themselves with the differences between a service email and a marketing email, and ensure their email communications with customers are compliant with the law.
Track & trace ‘partner’ sent 84,000 nuisance emails

19/05/2021 Steve WoodsGDPR, Privacy, Tech
The Information Commissioner’s Office (ICO) has today reported it has fined a Hertfordshire company for sending direct marketing emails to people who provided their personal data for contact tracing purposes as part of the response to the coronavirus pandemic.

St Albans-based Tested.me Ltd (TML) provides digital contact tracing services which work by offering people a QR code to scan when arriving at their destination.

TML sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to comply with government contact tracing rules.

The ICO fined TML £8,000 for using personal data for marketing purposes without adequate valid consent, contrary to law.

The ICO has created guidelines for businesses to follow as the UK economy continues to open up. Providers should:
- Adopt a data protection by design approach (DPBD) from the start when they develop new products;
- Make privacy policies clear and simple so that people understand how their information will be handled;
- Not keep any personal data they have collected for more than 21 days – in line with regulations brought in last year for the collection of information for contact tracing;
- Not use the personal data for marketing or any other purpose;
- Keep up to date with the ICO’s online guidance.