Privacy

  • Tor Browser squashes user tracking bug

    Steve WoodsOpen Source, Privacy, Tech

    The Tor Project has updated its browser after the discovery of a bug with more than dangerous repercussions for user privacy. URLs based on onion services version 2 should migrate to version 3 before September 2021.

    A recent update of the Tor Browser to version 10.0.18 has enabled several bugs to be corrected, including a rather serious vulnerability for users, French IT news site Le Monde Informatique reports. As a matter of fact, this bug, which is based on version 2 of its onion services, enabled some sites to track users from the applications installed on their devices.

    Tor Browser running on Ubuntu Linux
    Tor Browser running on Ubuntu Linux. Image courtesy of Wikimedia Commons.

    The vulnerability tracked users via their browsers, enabling any website or government to discover a user’s actual IP address, which is contrary to the basic principle of the Tor project. URLs actually benefit from a security gain with version 3 of onion services. This is due to the fact that they use “cleaner” code with stronger cryptography which is proving to be less susceptible to brute force attacks due to its complexity.

    URLs under onion services V2 no longer supported from 15 July

    The project also announced it would start to deprecate URLs under onion services version 2 by initially advising the operators and clients that access them. With effect from 15 July, Tor will no longer support V2 URLs V2 and support for them will be removed from the browser codebase.

    So as to ensure that each user and website administrator is well aware of this change, a message will be displayed “when visiting sites which are still using V2 URLs advising they will shortly be deprecated and the site will be inaccessible unless it is updated to version 3 of onion services“.

  • American Express? That won’t do nicely!

    Steve WoodsLanguage, Media, Privacy, Tech

    Yesterday the Information Commissioner’s Office (ICO) reported that it had fined American Express Services Europe Ltd. (Amex) £90,000 for sending four million unlawful, unsolicited marketing emails.

    Tin of SpamIT news site The Register has done some number crunching and worked out that the fine imposed by the ICO is equivalent to 0.021p per offending email or 0.009 per cent of Amex’s annual profits.

    The regulator instigated investigations after receiving complaints from American Express customers who had specifically opted out of receiving marketing information. During its investigation the ICO found that American Express had sent over 50 million so-called “servicing emails” to customers (which anyone sensible would call spam. Ed.). The ICO revealed that between 1st June 2018 and 21st May 2019, over 4 million of those emails were marketing emails, designed to encourage customers to make purchases on their cards, thus benefiting the company financially.

    Andy Curry, the ICO’s Head of Investigations said:

    This is a clear example of a company getting it wrong and now facing the reputational consequences of that error.
    The emails in question all clearly contained marketing material, as they sought to persuade and encourage customers to use their card to make purchases. Amex’s arguments, which included, that customers would be disadvantaged if they weren’t aware of campaigns, and that the emails were a requirement of its Credit Agreements with customers, were groundless.
    Our investigation was initiated from just a handful of complaints from customers, tired of being interrupted with emails they did not want to receive. I would encourage all companies to revisit their procedures and familiarise themselves with the differences between a service email and a marketing email, and ensure their email communications with customers are compliant with the law.

  • Track & trace ‘partner’ sent 84,000 nuisance emails

    Steve WoodsPrivacy, Tech

    ICO logoThe Information Commissioner’s Office (ICO) has today reported it has fined a Hertfordshire company for sending direct marketing emails to people who provided their personal data for contact tracing purposes as part of the response to the coronavirus pandemic.

    St Albans-based Tested.me Ltd (TML) provides digital contact tracing services which work by offering people a QR code to scan when arriving at their destination.

    TML sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to comply with government contact tracing rules.

    The ICO fined TML £8,000 for using personal data for marketing purposes without adequate valid consent, contrary to law.

    The ICO has created guidelines for businesses to follow as the UK economy continues to open up. Providers should:

    • Adopt a data protection by design approach (DPBD) from the start when they develop new products;
    • Make privacy policies clear and simple so that people understand how their information will be handled;
    • Not keep any personal data they have collected for more than 21 days – in line with regulations brought in last year for the collection of information for contact tracing;
    • Not use the personal data for marketing or any other purpose;
    • Keep up to date with the ICO’s online guidance.
Posts navigation