security | Steve Woods

Seriously

06/04/2023 Steve WoodsLanguage, Security, Tech
The language used in official responses to news stories seems to have been rigid and formulaic in recent times, particularly amongst those organisations within or linked to the public sector.

Today’s edition of The Register reports that ACRO, the UK’s Criminal Records Office was taken offline due to a security breach. The site currently displays a holding page blaming ‘technical issues‘, a fine example of misleading bureaucratic language.

This is the site’s holding page as this post is published.

El Reg notes that manages ACRO people’s criminal record information, running checks as needed on individuals for any convictions, cautions, or current prosecutions. It with British police and businesses, as well as exchanging this data with other countries, particularly where people wish to move or emigrate to another country and a certificate of good behaviour is required from the British police. ACRO has access to data from the Police National Computer via an information sharing agreement with the Cabinet Office.

The data typically handled by ARCO includes name and address history, extended family information, a new foreign address, legal representation, passport information, photo and data PIN cautions, reprimands, arrests, charges or convictions.

Earlier this week, ACRO emailed users to inform them that it had “recently been made aware of a cyber security incident affecting the website between 17th January 2023 and 21 March 2023“, adding that “we have no conclusive evidence that personal data has been affected by the cyber security incident; however it is only right that we inform you of the situation. We are very sorry that because of your interaction with ACRO your data could have been affected, and we are working tirelessly to resolve this matter.”

The message went on to say that “robust measures” had been taken as soon as the breach was discovered. It won’t be the first time that pulling the plug on a website has been described by a public sector organisation spokesperson as “robust”, If your systems were truly “robust”, taking the site offline would not have been necessary.

After intoning the “robust” mantra, ARCO then goes on to say: “We take data security very seriously and will ensure that the matter is fully investigated…. Translating this into plain English, this means “Oh dear! We’ve been caught out!”

The fact that ARCO had not taken data security “very seriously” is clearly highlighted by two facts:
- Firstly, ARCO did not notice crooks were gaining access to its computer systems for more than two months; and
- Secondly, it has now freely admitted that it is going to take steps to find out how the breach happened and prevent its reoccurrence. A clear case of that old adage of shutting the stable door after the horse has bolted.
The public sector relies heavily on public trust to do its work. If it really does want to be taken seriously, tough measures need to be taken and implemented, not just for IT security, but in connection a very ancient and fundamental idea: that of honesty.
Czech government using open source web analytics

17/03/2023 Steve WoodsGDPR, Open Source, Privacy, Security, Tech

Joinup, the EU’s open source news site, reports that the Czech Republic is to begin using the Matomo open source web analytics tool on the Czech citizen portal and gov.cz websites, where it will replace Google Analytics.

This change will ensure that the data by the sites collected will stay within the EU and, as the Czech administration will be using its own instance of Matomo, it will retain full control of the records.

The change was triggered by an open letter sent by the Czech the digital freedom watchdog luridicum Remedium after it noticed the Czech state vaccination system website was using Google Analytics during the COVID-19 crisis. The Czech Data Protection Authority and public sector strategic partner NAKIT then pursued the matter and replaced Google Analytics with Matomo on Czechia’s Ministry of Health website. This move later led to further action and the country will continue following this trend on public sector websites.

Previously named Piwik, Matomo has been in development since 2007 and is presently deployed on 1.4 million websites, including those of NASA, the European Commission, the United Nations and Amnesty International.

The Czech decision to choose Matomo follows those of other European countries seeking to keep control of their citizens’ data. Last year the French and Austrian data protection authorities determined that Google Analytics was not compliant with EU data privacy standards, in particular because Google’s data transfers to the United States are contrary to the EU’s General Data Protection Regulation (GDPR).
LibreOffice & Nextcloud for EU Institutions

27/02/2023 Steve WoodsOpen Source, Politics, Security, Tech

EU data protection authorities have negotiated a contract for the use of Nextcloud and LibreOffice Online in EU institutions. They are now testing the solutions, German IT news heise reports.

Data protection-friendly alternatives

It was announced last Wednesday that the European Data Protection Supervisor Wojciech Wiewiórowski and his team have begun testing both solutions this month. In coming months they want to examine “how these can tools support EU day-to-day work“. This pilot phase is part of a larger IT reflection process that the EDPS already started last year aimed at encouraging EUIs to consider alternatives to large-scale service providers to ensure better compliance with Regulation (EU) 2018/1725.

By procuring the Open Source Software from one single entity in the EU, the use of sub-processors is avoided. In doing so, the EDPS avoids data transfers to non-EU countries such as the USA and allows for more effective control over the processing of personal data.

According to Mr Wiewiórowski, “Open Source Software offers data protection-friendly alternatives to commonly used large-scale cloud service providers that often imply the transfer of individuals’ personal data to non-EU countries. Solutions like this may therefore minimise reliance on monopoly providers and detrimental vendor lock-in. By negotiating a contract with an EU-based provider of cloud services, the EDPS is delivering on its commitments, as set out in its 2020-2024 Strategy, to support EUIs in leading by example to safeguard digital rights and process data responsibly“.

Microsoft Office in the sights

Mr Wiewiórowski has already examined the contracts which EU institutions have with Microsoft and reached the conclusion in 2020 that the data processing purposes when using Windows or Microsoft Office had been defined far too openly. Processing contractors were not adequately audited and data could be transferred too easily by EU institutions to countries outside the Union. At the time, he demanded that Microsoft should only retain user information within the EU. The roles of all those involved with all their rights and obligations must be clearly regulated. Furthermore, Users should look around for alternatives that “enable higher data protection standards“.

The EDPS started further investigations into the use of Microsoft and Amazon cloud services by EU institutions. These entailed the use Microsoft Office 365 by the EU Commission. According to Wiewiórowski many contracts were concluded prior to the “Schrems II Judgment” and had to be examined in the light of the European Court of Justice case law.
Germany – photographing illegal parking is lawful

04/11/2022 Steve WoodsLanguage, Media, Privacy, Security, Tech

German newspaper <a href="https://www.welt.de/regionales/bayern/article241937155/Urteil-Buerger-duerfen-Falschparker-fuer-Anzeige-fotografieren.html".Die Welt states that it’s so obvious: people wanting to report an illegal parker just pull out their smartphone and then send the picture to the police. However, two men in Bavariahad trouble with the state’s data protection authorities. A court has now decided who acted corrected.

A Ferrari parked on the footway being booked in Munich.
Image courtesy of Wikimedia Commons

Anyone who sends photos of illegal parkers as part of a report to the police does not normally violate data protection legislation. This emerged on Thursday from two landmark rulings published by the Ansbach Administrative Court. With these the court agreed with two men who corroborated their reports of parking infringements on footways and cycleways with photos. For using this they received a warning and a fine of €100 each from the Bavarian State Data Protection Office (LDA). Both objected and went to court with the support of Deutsche Umwelthilfe e.V. (DUH)

The administrative court combined the two procedures in a joint hearing because of the identical questions and ultimately ruled that the procedure involved lawful data processing. However, the actual statement of is not available. The verdicts are of fundamental significance from the legal point of view, but are still not absolute.

The DUH, which supported one of the two plaintiffs in a test case, welcomed the verdict. “Illegal parking is no trivial offence, but endangers people who are travelling by bike, wheeled walking frame, wheelchair or pram”, commented Jürgen Resch, its Federal director. “The authorities should not take action against civil society commitment, but rather take consistent measures against blocked footpaths and cycle paths, illegal parking in front of dropped kerbs or at junctions; and do so not just in Bavaria, but nationwide.»

The crux of the proceedings was the question of whether digital transmission of the photos constituted lawful data processing within the meaning of the General Data Protection Regulation since there must be a legitimate interest in forwarding the image files. On the other hand, data transmission and processing must be necessary.

Accordingly, the parties to the proceedings before the court argued about whether the plaintiffs had to be personally affected by the parking violations and whether a written or telephone description of the facts including the vehicle registration number, was not sufficient. In addition, the LDA pointed out that other data such as other cars with registration plates and people can often be seen in the pictures. In reply, the plaintiffs stressed that the police had asked them to document the parking situation as accurately as possible with photos as evidence.

The LDA stated that once the judgment’s statement of grounds was available, it would examine whether the decision was an individual case or whether a reassessment of the use of photos in public places that was critical for data protection had been initiated. In addition, it wants to agree clear and uniform guidelines with the police regarding which information is required when reporting illegal parking and which communication channel should be used.
Chrome’s incognito mode is anything but – allegedly

01/11/2022 Steve WoodsLanguage, Media, Open Source, Privacy, Security, Tech

Google Chrome is a cross-platform web browser first introduced in 2008. Based largely on the open source Chromium browser, perhaps the best description for it is proprietary freeware.

French IT news website Le Monde Informatique reports that a federal judge in California is examining complaints against Google alleging that the company is tricking users into believing that their private life is protected when using the browser’s incognito mode. The lawsuit which was initiated before the North California District Court more than 2 years ago by 5 users is now awaiting a more recent petition from these plaintiff in a class action. One of the complaints concerns Chrome users with a Google account who accessed a non-Google website containing Google tracking or advertising code and who were browsing in incognito mode; a second covers all users of Safari, Edge and Internet Explorer with a Google account who accessed a non-Google website containing Google tracking or advertising code in private browsing mode. According to legal documents first disclosed by Bloomberg, Google employees joked about the browser’s incognito mode and the fact that it was not really private. They also took the company to task for not having done more to provide users with the privacy they though they were enjoying.

Judge Yvonne Gonzalez Rogers, who presides over the United States District Court for the Northern District of California, will decide whether the tens of thousands of users of Chrome’s incognito mode can be grouped together to seek statutory damages of $100 to $1,000 per violation, which could potentially increase the fine to over $5 bn. The definition of the word incognito is to disguise or conceal one’s identity. The confidentiality settings of web browsers are intended to delete local traces of sites visited by a user, as well as web searches and information provided when filling in online forms. Simply put, private modes such as incognito are not supposed to track and record data from web searches and sites visited by users. Google is also facing proceedings linked to user confidentiality from the justice ministers and public prosecutors of several federal states including Texas, the District of Columbia and Washington. Earlier this month Google settled a lawsuit filed by the attorney general of Arizona for $85 mn. Initially filed in June 2020, the class action was asking for at least $5 bn., accusing Google of surreptitiously collecting data on what people were viewing online and where they were browsing despite using private browsing mode. Lawyers for the plaintiffs say they have a large number of internal Google emails proving that managers have known for years that private browsing mode does not do what it claims. When a user chooses to use this incognito mode, Google’s browser is supposed to delete browsing history and cookies automatically at the end of a session.

Data sold for advertising purposes in auctions

The plaintiffs, who are Google Account holders, alleged that the search engine collected their data, distributed it and sold it for targeted advertising through a real-time auction system (RTB). LThe plaintiffs allege that even in incognito mode, Google can see what sites Chrome users are visiting and collect data by means which include Analytics, digital fingerprinting techniques, concurrent applications and processes on a user’s device and AdManager. The latter is a Google service enabling businesses to distribute and create web, mobile and video advertising reports for a company.

According to one report, more than 70% of all website use one of more of Google’s services. More specifically, the plaintiffs allege that every time a user with private browsing mode active visits a website running Analytics or AdManager, the search giant’s software scripts on the site surreptitiously order the user’s browser to send a secret separate message to its servers in California. “Google learns exactly what content the user’s browser software was asking the website to display, and it also passes a header containing the URL information of what the user viewed and requested online. Device IP address, geolocation data and user ID are all tracked and logged by Google”, according to one report in the lawsuit. “Once collected, this mountain of data is analyzed to build digital records on millions of consumers, in some cases identifying us by name, gender, age, and medical conditions and political issues we researched online”, the lawsuit claims.

Truly private browsing results in loss of revenue

In March 2021, a California judge denied 82 motions by Google’s attorneys to end the lawsuit and ruled against the company, allowing it to proceed. In July that year the company was sentenced to pay almost one million dollars in legal fees and expenses as a penalty for not having disclosed evidence concerning the lawsuit in a timely manner.

This week a spokesperson for Google told the Washington Post it had been frank with users about what its incognito mode offers in terms of privacy and that the plaintiffs “deliberately misrepresented our statements”. Jack Gold, senior analyst at J. Gold Associates, said the company makes the majority of its revenue by tracking everyone and selling ad space. “If they’re really creating a completely private browsing experience, then the revenue stream is gone,” he said. “So, I suspect there is a ‘balancing act’ going on internally as to where the borders are around privacy vs. tracking. No company builds a free browser without being able to generate revenues somehow”. The plaintiffs in the case said they chose “private browsing mode” to prevent others from learning what they’re viewing on the internet. When it comes to using Google Chrome and other browsers, “let the user beware,” Gold said. “You have to trust the maker to take care of your privacy, but it’s not always in their best interest to do so”.
Introducing Ubuntu Pro beta

11/10/2022 Steve WoodsLinux, Open Source, Security, Tech

Canonical is currently offering a public beta version of Ubuntu Pro, giving Ubuntu Linux users extended maintenance and security compliance for software packages ranging from the Node.js runtime to Python 2 and Rust. Security cover will be extended for average and high common vulnerabilities and exposures (CVE) for thousands of applications and toolchains including Ansible, Apache Tomcat, Apache Zookeeper, Docker, Drupal, Node.js, Puppet, Python 2, Rust and others.

A free thirty days trial is available for businesses. Ubuntu Pro is available for data centres and workstations. A free level is being offered for small-scale personal use (up to 5 machines).

Since the launch of Ubuntu LTS with 5 years support for the main operating system, businesses have asked the supplier to cover a larger area of the open source landscape under private commercial agreements. These benefits are now offered free of charge to anyone with a free personal subscription to Ubuntu Pro. This may also be combined with 24/7 enterprise level for the Ubuntu operating system.

Ubuntu Pro is available for all Long Term Support (LTS) versions of Ubuntu from version 16.04 LTS upwards. The standard Ubuntu Pro subscription covers security updates for all Ubuntu packages. In addition, Canonical’s Ubuntu Advantage for Infrastructure subscription has been renamed Ubuntu Pro (Infra-only) with no change in its price or range. The Infra-Only subscription covers the base operating system and the private cloud components required for large-scale and bare metal and excludes wider cover for applications. Subscribing to Ubuntu Pro costs US $25 dollars per year excl. tax for one workstation or US $500 dollars per year for a server. On public clouds Ubuntu Pro costs some 3.5% of the average cost of the underlying processing environment.
Family matters

10/10/2022 Steve WoodsBristol, Language, Politics, Privacy, Security

There are some writers whose importance does not diminish with their demise. Take, for example, the ancient Athenian playwright Aristophanes; his plays are still being staged nearly two and half millennia after his death; then there’s that genius in understanding human emotions and the human condition, William Shakespeare.

To these giants of literature, your ‘umble scribe would add the name of George Orwell. Even though he died in 1950, his works still seem startlingly relevant to life in the 21st century and its politics in particular. The major annual prize for political writing in the English Empire (which some still call the United Kingdom. Ed.) is named after him.

Nineteen Eighty-Four (in words, not numerals. Ed.), which was written in 1948 and published in 1949, was intended as a warning against authoritarianism and oppression. However, successive twenty-first century governments seem to have used it as a manual for the implementation of mass surveillance of the population and the removal of their right to privacy, particularly as regards the use of information technology (via e.g. the Regulation of Investigatory Powers Act 2000); and all in the name of so-called security.

What has been exercising your correspondent this morning is a particular passage from The Lion and the Unicorn: Socialism and the English Genius. This was an essay written in 1941 during World War 2 relating to the state of the English, as opposed to the British. In particular, it highlights the outdated English class system as a major impediment in the mid-20th century, as exemplified below.

England is not the jewelled isle of Shakespeare’s much-quoted message, nor is it the inferno depicted by Dr Goebbels. More than either it resembles a family, a rather stuffy Victorian family, with not many black sheep in it but with all its cupboards bursting with skeletons. It has rich relations who have to be kow-towed to and poor relations who are horribly sat upon, and there is a deep conspiracy of silence about the source of the family income. It is a family in which the young are generally thwarted and most of the power is in the hands of irresponsible uncles and bedridden aunts. Still, it is a family. It has its private language and its common memories, and at the approach of an enemy it closes its ranks. A family with the wrong members in control – that, perhaps, is as near as one can come to describing England in a phrase.

Looking at the cupboards bursting with skeletons, one only has to look at the colonial oppressors and crooks that our Victorian forebears sought to elevate to figures of admiration, such as Robert ‘Lord Vulture’ Clive, who used his position in the East India Comp;any for personal enrichment and the likes of Waterloo hero Thomas Picton, formerly a sadistic and cruel governor of Trinidad. Both Clive and Picton have featured in the recent statue wars where the right wing, including government ministers, sought to deny the brutality of empire and its legacy. Sorry, but introducing the system of common law and the game of cricket are not adequate compensation for centuries of plunder, expropriation, conquest, repression and genocide.

Looking at the deep conspiracy of silence about the source of the family income, there has yet to be any official acknowledgement that the family income from the late 16th century onwards was based upon piracy and then increasingly upon slavery, for which some former British Caribbean colonies are clamouring increasingly for reparations.

Finally, let’s come to that family with the wrong members in control. They don’t come more wrong than the current occupant of Number 10 Downing Street, one Elizabeth Mary Truss.

Truss is clearly an admirer – and blatant imitator – of her Tory predecessor Margaret Thatcher, who did so much to destroy the British economy and society in the 1980s. However, what really grates with many people is the manner in which Truss was elevated to the premiership, i.e. elected to the leadership of her party by its 160,000 strong membership which is mainly elderly, white, male and racist (occasionally referred to as a ‘selectorate‘. Ed.), and thus hardly representative of the country.

If England truly is akin to a family, it is one that is deeply dysfunctional.
DuckDuckGo blocks Microsoft trackers

10/08/2022 Steve WoodsPrivacy, Security, Tech

French IT news site Le Monde Informatique reports that DuckDuckGo has decided to block Microsoft’s trackers in its mobile browser applications and browser plug-ins in an effort to extend its approach to privacy protection. It had already been criticised at the start of the year on the matter.

Protecting internet users from tracking and protecting their anonymity is not simple. DuckDuckGo is part of this move and was very upset to find out that as part of its agreement with the Bing search engine, Microsoft had given the green light for user tracking. This is no longer the case since from that date onwards DuckDuckGo’s CEO, Gabriel Weinberg, has stated that blocking the loading of scripts on websites by the browser was extended to Microsoft’s scripts in DuckDuckGo browser applications for iOS and Android and browser extensions (Chrome, Firefox, Safari, Edge and Opera) and that beta applications will follow next month.

DuckDuckGo is attempting to block tracking scripts from search engines and sites such as Facebook, as well as other types of tracking scripts or software. It uses what it calls third-party tracking loading protection to prevent these third-party scripts or cookies from being loaded into the browser. If they did, they could track movements on the web and build a profile of the user, their preferences, etc. If other browsers and browser plug-ins also enable users to protect their privacy, DuckDuckGo has made privacy its priority.

Delayed neutralising

Mr Weinburg’s decision was taken after the discovery at the start of the year by security researcher Zach Edwards that DuckDuckGo was blocking trackers from Google and Facebook, but was allowing some of Microsoft’s trackers via Linkedin and Bing. The discovery was then reported by BleepingComputer. “Previously, we were limited in how we could apply our third-party tracker download protection to Microsoft tracking scripts due to policy requirements related to our use of Bing as the source of our private search results,” Weinberg explained, adding that, “We’re glad that’s no longer the case. We didn’t have and don’t have similar restrictions with any other company.”

DuckDuckGo still has an advertising relationship with Microsoft, which it will maintain. Clicking through on advertisements on DuckDuckGo is anonymous and Microsoft has undertaken not to profile DuckDuckGo users. If Microsoft continues to save the user’s link, it will not associate them with a profile. On an updated support page, DuckDuckGo has provided a summary of everything which its its browser authorises and does not authorise, as well as providing details of web tracking protection.
Prying Google is not your friend

20/05/2022 Steve WoodsGDPR, Media, Privacy, Security, Tech
The Irish Council for Civil Liberties (ICCL) is pointing its finger at Google for spying on users, French IT news website Le Monde Informatique reports. A real-time bidding (RTB) system which is actively used by the company enables it to follow and share what everyone is looking at or doing online and note down this activity’s location. RTB is the technology underpinning all online advertising and it relies on sharing of personal information without user consent, according to the ICCL.

Google’s troubles are far from over. Widely singled out for its actions in terms of the use of personal data, the company is now in the spotlight for its tracking and advertising targeting activity. A report (PDF) published by the ICCL on 16 May accuses the search giant of an unprecedented data breach. The report sheds light on the RTB system, which works in the background on websites and in applications. “It tracks what you are looking at, no matter how private or sensitive, and it records where you go. Every day it broadcasts this data about you to a host of companies continuously, enabling them to profile you,” the report states.

The ICCL report claims it presents the scale of this data breach for the first time.

This data breach takes place throughout the world. The RTB system “tracks and shares what users are viewing online with their location in real time 294 bn. times in the USA and 197 bn. times in Europe each day”, it states. On average a person in the USA has their online activity and location tracked 747 times a day by those using RTB. In Europe, RTB exposes personal data 376 times a day. In Germany alone, Google sends 19.6 million broadcasts about German Internet users’ online behaviour every minute that they are online. “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data”. It is a high-earning business generating more than $117 bn. in the USA and Europe in 2021.

Advertising is an indispensable condition of this system as the majority of advertising on websites and in applications is placed there using RTB. Advertisers spend $100 bn. annually in the USA and Europe. The RTB market’s estimated value was $91 bn. in the USA in 2021 and €23 bn. in Europe in 2019. It therefore highlights that Americans’ online activity and their locations is exposed 57% more frequently than that of users in Europe.

Google is one of the five largest users of this real-time bidding system. No fewer than 4,698 US companies are authorised by Google to receive RTB data on people, whilst in Europe the number drops to 1,058 companies. More specifically, the data collected by Google, like what people are looking at online or doing with an application and their ‘hyperlocal‘ geographical location is broadcast 42 bn. times per day in Europe and 31 bn. times daily in the USA.

The ICCL is working to end the RTB data breach in Europe and has litigation ongoing in three European courts, as follows:
- at the Landgericht in Hamburg against the tracking industry standards body IAB TechLab and against Microsoft’s online advertising exchange Xandr (https://www.iccl.ie/rtb-june-2021/);
- at the Irish High Court against the Data Protection Commission, for its failure to investigate the ICCL’s complaint about Google’s RTB data breach (https://www.iccl.ie/news/iccl-sues-dpc-over-failure-to-act-on-massive-google-data-breach/); and
- in the Brussels Market Court, the ICCL is a party against IAB Europe’s appeal of an order by the Belgian Data Protection Authority, and 27 other EU data protection authorities, against IAB Europe’s “TCF” consent spam system. (https://www.iccl.ie/news/gdpr-enforcer-rules-that-iab-europes-consent-popups-are-unlawful/).
Research reveals websites collecting information without consent

13/05/2022 Steve WoodsGDPR, Privacy, Security, Tech

Today’s Journal du Geek reports that some unscrupulous websites do not clutter up their webpages with a Submit button when visitors are filling in a form.

If you have already filled in a web form before changing your mind, your data has doubtless been sucked up by an unscrupulous website. In a recent study carried out by researchers from 3 European universities, which will be presented at the Usenix Security conference in August, we learn that some platforms are capable of spying on every character typed on a keyboard.

By analysing 2.8 mn. webpages on the world’s 100,000 most visited websites, the research’s assessment is definitive: in the case of a web form filled completed in Europe, nearly 2,000 of them are capable of collecting the user’s email address before that user has clicked the Send button. One of the joint authors Güne Acar of Radboud University in Nijmegen states: “We were very surprised by the results. We thought we might find a few hundred sites where your email address is collected before you send it, but the result far exceeded our expectations”.

However, the situation in Europe remains better than that in the United States. Whereas the old continent recorded “only” 1844 cases of abusive data sucking, the same request, when sent from the United States triggered 60% more instances, for a total of 2,950 cases, a difference which can be explained in particular by the presence in Europe of the GDPR , which since 2018 has obliged platforms to obtain users’ consent before collecting data..

How do websites record one’s data without consent?

For all practical purposes the majority of sites collecting data before submission forwards email addresses (encrypted or unencrypted) to third party sites are generally specialist advertising campanies, which collected the data to serve up personalised advertising (aka corporate graffiti. Ed.). In some less frequent instances a key logger is used to enable the keystrokes made to be directly recorded.

In Europe, the matter is even more sensitive since a good number of major sites, including Facebook owners Meta and TikTok were amongst the sites tested.