Thursday 28 January 2010

Data Privacy Day will RockYou

We've got a new guest editor today, Mr. Josh Crawford:

Today is Data Privacy Day, the perfect time to rejoice in the attempt by the EU and USA to promote “privacy awareness and education among teens and young adults, focusing on the privacy issues raised by the use of social networking sites” and other types of technology which can share personal information over the internet, with a particular focus on those irritating necessities: passwords.

We here at Data Grub are ecstatic with the news that this most auspicious of occasions has arrived with the millions of people across our two great continents writhing in a frothy mass of pure ecstasy. So finally, this day of data will commence.

But it seems that this day of data celebration will be tainted with the news that RockYou, the online provider of social networking applications for Facebook, MySpace and others, was recently involved in a ruckus with a hacker.

Security firm Imperva uncovered the breach after peering at underground hacking forums; that RockYou was being attacked by a common type of exploit known as a SQL injection flaw. Hackers around the world violated that hole and invited their friends to have a go too. RockYou must have felt pretty sore in the morning.

Apparently the hacker, during a smash and grab attack, violated RockYou’s Database and stole 32 million online passwords. This has given the experts an insight into the kinds of passwords we use. Being the smart and social animals we are, it just so happens that 123456 is the worlds’ most popular password. Amichai Shulman, CTO at Imperva, said, “I guess it’s just a genetic flaw in humans.” Wives and girlfriends of the world: if your fella's favourite football team doesn’t work - maybe you're being just a little too clever. You might find that QWERTY unlocks that treasure trove of porn on his laptop...

Two days before Data Day was to start, the Information Commissioner’s Office warned that “organisations could face tougher sanctions if they fail to report data security breaches,” considering that there have been more than 800 incidents of reported security breaches last year. The sheer number of stunningly unimaginative passwords uncovered by RockYou's hacker suggests that there may well be a further slew of security breaches in the coming months.

Jeff Moss, who is on the USA’s Homeland Security Advisory Council said in response to the RockYou breach that we should rely on complex passwords, ideally around 12 characters long. “It’s like that joke where the hikers run into a bear in the forest, and the hiker who survives is the one that outruns his buddy,” said Moss, pausing awkwardly for an expected laugh which never materialised.

It looks like the RockYou story has a bit further to run - last month enraged citizen Alan Claridge from Indiana, USA, filed a class action suit against the company after they belatedly informed him - some 10 to 12 days after the attack - that his sensitive, personally identifiable information, including e-mail address and password, may have been compromised.

They had kept all the personal identifiable information in plaintext on an unencrypted database that, according to CNET, even a hacker with the most basic skills could’ve exploited.

With the ICO gaining new powers this April to issue fines of up to £500,000 for serious Data breaches, we at Data Grub can only hope that businesses, organisations and private citizens start treating data privacy at least somewhat seriously - starting with passwords.

Tuesday 8 December 2009

The Ads That Dare Not Speak Their Name

Remember Phorm, the evil data pimps who wanted to collect browsing data on Internet users so that they could deliver targeted advertising?

Well, yes, of course you do. It was only a few months ago that the company effectively folded in the UK, having been battered by a succession of staggeringly stupid PR blunders, leaving their investors seriously out of pocket.

So the world and its dog can breathe a sigh of relief that it's safe from this invidious form of advertising, which threatened to usher in a cataclysm unequalled in the annals of human history, surpassing the plagues of Egypt, the eruption of Krakatoa, the rise of Jedward etc. etc.

Er, actually, no. A little-known Internet firm called Google is doing exactly the same thing, with nary a murmur of discontent from the brave warriors who brought Phorm to its knees. And we're not talking about Google's gentlemanly habit of routinely reading Gmail users' emails so that they can serve them with targeted ads. No, it goes further than that.

Some of our more technically literate readers may know that the world's largest text ad broker has, for ages, served up different search results for users logged into its services, such as Google Calendar or Gmail. These search results are tailored to users' previous browsing behaviour, so if you spend a lot of time on bbc.co.uk/sport, Google search results will place this web page higher up the list when it's asked to search for "sport". This, of course, is an entirely selfless service from Google that helps users gain the most relevant results - and it's only coincidental that it helps them to make more money from behaviourally targeted ads.

No problem with that - Google fanbois presumably read the terms and conditions when they sign up to these services (doesn't everyone?). But now Google is "personalising" search results for any user, anywhere, regardless of whether they're signed in to Google or not, through cookies placed on unwitting users' computers.

We've covered behavioural targeting before and, while we don't think it's inherently evil, we do believe that it requires a delicate approach, along with rigorous adherence to best practice procedures to ensure that users are well-informed and are offered a clear choice about whether they want their browsing profiled. Google haven't gone out of their way to publicise their service; nor to explain how to turn it off (it is, naturally, turned on by default).

If companies continue to implement behavioural targeting in a sly, underhand way - as though it were something to be ashamed about - then one can hardly blame the public for being suspicious of it. Instead of cloaking it in the depths of a terms and conditions form, companies like Phorm and Google should communicate openly on the benefits of targeted ads and offers.

One final question remains: why has privacy campaigner Alex Hanff - the single-handed scourge of Phorm and NebuAd, whose brave and lonely battle against these Internet behemoths ended with a victory that brought dragons and St George to mind - been so silent on this issue? Alex, where are you?

Postscript: Google's CEO Eric Schmidt yesterday trotted out that favourite line of civil-liberties-deniers the world round: "If you have something you don't want anyone to know, maybe you shouldn't be doing it in the first place." (©Richard Littlejohn / David Blunkett). How this statement sits with Google Chrome's infamous Incognito function - which hides your porn viewing from other users - remains unclear.

Friday 4 September 2009

New Watchdog Chief Bares His Teeth

So, farewell then Richard Thomas. The outgoing Information Commissioner handed over the baton to Christopher Graham last June, and the new head of the ICO has wasted little time in getting stuck into parliament, the courts and newspapers for failing to stop the flourishing trade in illegally obtained personal and confidential information.

The former DG of the Advertising Standards Authority was giving evidence to the Commons media select committee investigating phone-hacking and other unscrupulous press activity. This issue came to a head a couple of years ago with the revelations that the News of the Screw's was tapping Prince William and Harry's mobiles; the fact that it's taken until now to establish an investigation speaks volumes about the procrastination of our pusilanimous parliament.

While it comes as no surprise that tabloid journalists resort to questionable - even illegal - activities in their work,what beggars belief is the complete absence of deterrent in the form of proper punishment. Graham raised this in his evidence to the committee, criticising the goverment for failing to introduce jail terms for hackers and other willful violators of the Data Protection Act, and claimed that custodial sentences could end the practice "at a stroke".

It's worth noting that Clive Goodman, the Screws' former royal editor, did in fact do four months' bird for hacking the Princes' phones, but Graham pointed out that the NotW case was merely part of a much bigger malaise. Graham said that the ICO had tried to sound the alarm about the scale of the problem as far back as 2006, when it published a report showing that 305 reporters were using private investigators. Unfortunately, said Graham, "...we were let down by the courts, who didn't seem to be interested in levying even the pathetic fines they had at their disposal; we were rather let down by parliament in the end, with no legislation; and we were let down by the newspaper groups, which didn't take it seriously."

It's good to see such forthright common sense from the new Information Commissioner - it's a sign that the ICO is fast becoming a Watchdog with real bite. Graham has made a great start, and we will be following his progress with interest.

Thursday 23 July 2009

The Human Factor

There are some pretty thankless jobs out there, several of which we at Data Grub have experienced directly. And, while it can't match the indignity of chicken sexing or the sheer slog of meter reading, working in a bank comes pretty high up the list of crap jobs.

(Obviously, we're talking about working behind the counter of a high street retail bank. The "master of the universe" type banking jobs - with its private jets, champagne, corporate boxes and complete lack of conscience - sounds quite a laugh.)

What's so bad about working in a bank? Well, aside from the constant pressure to sell massive amounts of debt to the sort of people who shouldn't be trusted with real cutlery, there's also the Data Protection Act to deal with. Banks workers have to watch an achingly-bad training video - which looked dated when it was made in 1998 - about the Act, and how to stay on the right side of the law with regards to customers' data.

No doubt this is a video that'll get dusted down and rewatched by the staff of HSBC, after the bank was fined a mammoth £3 million by the FSA yesterday for taking a laughably cavalier attitude towards customers' personal data.

Another depressingly familiar story of data loss, sure, but it did remind us of that lame old video, in which a harrassed data protection officer pours out his worries about the new Act to a psychiatrist. At one point, the shrink tries to calm him down by saying: "It's really just a matter of common sense."

Quite. Unfortunately, the global supply of common sense has been waning since around 1860, and it's currently rarer than platinum.

But ultimately, it's humans who have the biggest bearing on whether a company successfully fulfills its data protection requirement. With all the talk of encryption, virtual private networks, network and site security, it's easy to forget that technology is only as useful as the human operating it - or forgetting to. Organisations spend time and money communicating their privacy policies; here at Data Grub we'd like to see organisations showing exactly what steps they are taking to ensure that their employees are following best practice at all times. People as a rule are pretty stupid, but when there's a corporate culture of sound data protection processes this cuts regrettable incidents to a minimum. And, with data loss stories in the media almost every week, there's also a business case for having a public and comprehensive data protection policy, in the same way as firms boast about their CSR credentials.

Wednesday 1 July 2009

Anything to declare?

Ah, America! The world's brightest beacon of democracy and freedom; the New World of limitless opportunity, where hard work and fair play are rewarded with the fabulous bounties of the American Dream.

And who can forget that America was built upon the exertions and human capital of the millions of immigrants - themselves often refugees from war, slavery and famine?

Modern day arrivals in the USA have a slightly different experience from these pioneering immigrants. Gone are the humiliating medical inspections, where those suspected of illness and physical defects were marked with chalk symbols. Instead, visitors are subjected to a terrifying ordeal of interrogation by customs officials, including such charmingly naive questions as "Is it your intention to overthrow the government of the United States?" (WS Gilbert famously answered: "Sole purpose of visit".)

But now it's not just fearsome feds with sunglasses and ear pieces that travellers have to worry about: they could risk having their personal data compromised, including fingerprints, employment history and credit information.

It all stems from a company called Clear, which used to speed its customers through customs for an annual payment of $200. To do this, they asked their customers for the personal data that customs officials need to know about travellers. A quarter of a million customers signed up to Clear's service and, for a while, enjoyed VIP treatment at US airports, being rushed through customs and immigration while the plebs queued and sweated.

Unfortunately, Clear shut down its operations last week, and the fate of customers' personal data hangs in the balance. What's interesting is that the company says that it will continue to hold onto this sensitive information, which could still be used by another Register Traveller programme. In other words, the data is a business asset that could be parcelled up and sold on to another firm - as long as that company is in the same line of business.

This is proof - if proof be needed - that personal data is no nothing more than another commodity to be bought and sold. It's worth noting that Clear's privacy policy states that "We do not sell or give lists or compilations of the personal information of our members or applicants to any business or non-profit organization." Unless, that is, we go bust.

We've noted before that companies often rely on burying objectionable practices deep within their Terms and Conditions, but if bankruptcy means companies can ignore their own privacy policies, that's a huge blow to data protection. Even if Clear's successor abides by the most stringent data protection policies, the transfer of such large amounts of sensitive information from one organisation to another is a fraudster's paradise, with plenty of opportunity for data to go missing.

Monday 8 June 2009

Google fails

Congratulations students of the globe! For anyone from the ages of 5 to 15 can enjoy Google’s new attempt at structured data search: Google Squared. And that’s presumably the only group of people that would ever consider using it. Remember when you were eight and your teacher asked you to make a pretty table on British Monarchy with all the monarchs of Britain including their children, spouses and important dates? How you pored over huge encyclopaedias to get all the information? Well, Google Squared officially heralds the end of early education as all these tasks are completed in a matter of seconds for our burgeoning historians and other putative scientists.

If only it were that easy. Just as Babel Fish translate could only ever get a student 12/20 on French translation homework after its launch all those years ago, Google Squared fails to achieve… well anything it’s going for really. A search for the British Monarchy in an attempt to tabulate a chronological factfile brings up a table with the following order – George VI, George II, George V. The genius that is Squared then goes off on a little jaunt that includes the Act of the Union, the Irish Free State, Buckingham Palace and the House of Orange. This just gets embarrassing: the picture accompanying the House of Orange? Why of course! Its Gemma Arterton arriving for the ‘Orange’ BAFTAs at the Royal Opera ‘House’. This is surely Google gone mad. Actually we shouldn’t really be surprised; to be fair to Google, nowadays the Bond Girl must get more hits than the Dutch royals.

It’s rather life affirming to know that even the great god Google isn’t completely infallible. This is an exciting day indeed. This revelation is like those wonderful moments when that beautiful woman who walks like she is better than everyone else trips and falls flat on her face on Oxford Street. At the Christmas Light switch on. On the podium. And the woman is Kate Moss.

One must presumably conclude that the only reason Google released this in such an awkward condition was to distract attention from somewhere else: another attempt to make searching intelligent recently arrived in the form of Wolfram Alpha, the computational knowledge engine. It proclaims to ‘generate output by doing computations from its own internal knowledge base, instead of searching the web and returning links.’ This means, instead of producing lists of useless links or grids of questionable information, it creates pages to answer your search, to the best of its ability. When asked, ‘How many roads must a man walk down before you can call him a man?’, the clever engine replies, ‘The answer, my friend, is blowin' in the wind. (according to Bob Dylan).’ Indeed.

Tuesday 28 April 2009

The lady's for turning

We've taken the odd swipe at Jacqui Smith over the last few months, so it only seems fair to applaud her decision to scrap the Home Office's planned über-database of communications data.

The database would have collected data on all electronic correspondence, such as the time, date and length of communication (and, of course, who contacted whom).

Humble Jacqui said that she recognised the public's concerns that a giant database would be a further step toward a surveillance society. And, in a nice little turn of phrase, she said, "To be clear, there are absolutely no plans for a single store."

No longer any plans, Jacqui, no longer.

Of course the cynics will say that Labour couldn't possibly get away with ploughing hundreds of millions of pounds into a deeply un-popular government IT project in light of last week's austerity budget.

We couldn't possibly comment.

Anyway, the upshot of all this is that ISPs are now responsible for intercepting and storing the data that crosses their networks. To this end, the Home Office have earmarked £2 billion to help ISPs to expand their storage capabilities.

Mobile and fixed line operators will be required to process and link the data together to build complete profiles of every UK internet user's online activity. Police and the intelligence services would then access the profiles, which will be stored for 12 months, on a case-by-case basis.

Don't be surprised if even this plan is quietly dropped by the Conservatives after the 2010 election.

A final point - John Reid, the frankly terrifying former Home Secretary, argues in an opinion piece today that communications data is vital to identifying serious criminals. In his short but predictably manipulative piece, he kicks off with a tear-jerker about a murdered 17 year old whose killers were brought to justice by communications data. This, he says, happened in 2007.

So you see, Reid shoots himself in the foot before he's reached the end of his first paragraph, by showing that police then already had adequate access to communications data.

He then comes up with a classic piece of patronising lip service: "Used in the right way, and subject to important safeguards, communications data can play a critical role in keeping us safe."

Presumably, these would be the safeguards that ensured only 36,989,300 pieces of personal information were lost by the government in 2008. As for using it in the right way, it's as if he hadn't heard of the scandal of local authorities using the RIPA legislation to spy on dog fouling and catchment areas.

If we really do need a giant central database, they'll need to do a lot better than this to convince the public.