Posts tagged privacy

Reasons to be fearful


As your ‘umble scribe writes this post, part-time alleged prime minister Alexander Boris de Pfeffel Johnson is now on day two of an extensive reshuffle of government ministers.

His first cabinet was chosen more for loyalty to Brexit than for talent and included some who had done a complete 180-degree turn on their pre-referendum stance in order to climb the greasy pole of political ambition.

The latter include the singularly untalented Liz Truss (whose biggest achievement as Trade Secretary was copying and pasting new copies of pre-existing EU trade agreements with third countries so they could continue in effect in a post-Brexit context. Ed.), who can now carry on filling in the ministerial My First Foreign Secretary’s Colouring Atlas where Dominic Raab left off, following the latter’s demotion to Justice Secretary.

The singularly unattractive Priti Patel remains as Home Secretary. The less said about that the better.

However, given the shallowness of the Tory talent pool, the most surprising appointment of the first day of Johnson’s rearranging the deckchairs on the Titanic was his appointment of Nadine Dorries as Secretary of State for Digital, Cultural, Media and Sport. Nadine was put on Earth to demonstrate that potatoes are more intelligent beings than the Rt. Hon. Member for Mid Bedfordshire.

Part of the fragrant Nadine’s brief includes all things digital, including the minor matter of IT security. To gain an insight into the new Secretary of State’s attitude to this subject, I refer readers to 2 Dorries tweets from 2017.

Tweets read 1. My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens [sic] desk was accessed and therefore it was Green is utterly preposterous  You need a pass to get that and 2 Everyone who has my login has a security pass

Cavalier doesn’t quite describe such an attitude to basic security and privacy.

Then there’s the whole question of gravitas – a necessary pre-requisite for public office, not that you’d know it with Bozo the Clown’s appointments.

A quick glance across the English Channel and North Sea to 2 European counterparts reveals some startling contrasts. Besides being French Culture Minister, present incumbent Roselyne Bachelot is an opera fan who has written a well-regarded work on Verdi. Monika Grütters, Germany’s Culture Minister was a university lecturer before entering politics and is still an honorary professor at Berlin’s Free University. On the other hand, Dorries’ biggest claim to fame (after her fiddling expenses) is eating ostrich anus on a so-called reality television show.

Tor Browser squashes user tracking bug

The Tor Project has updated its browser after the discovery of a bug with more than dangerous repercussions for user privacy. URLs based on onion services version 2 should migrate to version 3 before September 2021.

A recent update of the Tor Browser to version 10.0.18 has enabled several bugs to be corrected, including a rather serious vulnerability for users, French IT news site Le Monde Informatique reports. As a matter of fact, this bug, which is based on version 2 of its onion services, enabled some sites to track users from the applications installed on their devices.

Tor Browser running on Ubuntu Linux

Tor Browser running on Ubuntu Linux. Image courtesy of Wikimedia Commons.

The vulnerability tracked users via their browsers, enabling any website or government to discover a user’s actual IP address, which is contrary to the basic principle of the Tor project. URLs actually benefit from a security gain with version 3 of onion services. This is due to the fact that they use “cleaner” code with stronger cryptography which is proving to be less susceptible to brute force attacks due to its complexity.

URLs under onion services V2 no longer supported from 15 July

The project also announced it would start to deprecate URLs under onion services version 2 by initially advising the operators and clients that access them. With effect from 15 July, Tor will no longer support V2 URLs V2 and support for them will be removed from the browser codebase.

So as to ensure that each user and website administrator is well aware of this change, a message will be displayed “when visiting sites which are still using V2 URLs advising they will shortly be deprecated and the site will be inaccessible unless it is updated to version 3 of onion services“.

American Express? That won’t do nicely!

Yesterday the Information Commissioner’s Office (ICO) reported that it had fined American Express Services Europe Ltd. (Amex) £90,000 for sending four million unlawful, unsolicited marketing emails.

Tin of SpamIT news site The Register has done some number crunching and worked out that the fine imposed by the ICO is equivalent to 0.021p per offending email or 0.009 per cent of Amex’s annual profits.

The regulator instigated investigations after receiving complaints from American Express customers who had specifically opted out of receiving marketing information. During its investigation the ICO found that American Express had sent over 50 million so-called “servicing emails” to customers (which anyone sensible would call spam. Ed.). The ICO revealed that between 1st June 2018 and 21st May 2019, over 4 million of those emails were marketing emails, designed to encourage customers to make purchases on their cards, thus benefiting the company financially.

Andy Curry, the ICO’s Head of Investigations said:

This is a clear example of a company getting it wrong and now facing the reputational consequences of that error.
The emails in question all clearly contained marketing material, as they sought to persuade and encourage customers to use their card to make purchases. Amex’s arguments, which included, that customers would be disadvantaged if they weren’t aware of campaigns, and that the emails were a requirement of its Credit Agreements with customers, were groundless.
Our investigation was initiated from just a handful of complaints from customers, tired of being interrupted with emails they did not want to receive. I would encourage all companies to revisit their procedures and familiarise themselves with the differences between a service email and a marketing email, and ensure their email communications with customers are compliant with the law.

Track & trace ‘partner’ sent 84,000 nuisance emails

ICO logoThe Information Commissioner’s Office (ICO) has today reported it has fined a Hertfordshire company for sending direct marketing emails to people who provided their personal data for contact tracing purposes as part of the response to the coronavirus pandemic.

St Albans-based Ltd (TML) provides digital contact tracing services which work by offering people a QR code to scan when arriving at their destination.

TML sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to comply with government contact tracing rules.

The ICO fined TML £8,000 for using personal data for marketing purposes without adequate valid consent, contrary to law.

The ICO has created guidelines for businesses to follow as the UK economy continues to open up. Providers should:

  • Adopt a data protection by design approach (DPBD) from the start when they develop new products;
  • Make privacy policies clear and simple so that people understand how their information will be handled;
  • Not keep any personal data they have collected for more than 21 days – in line with regulations brought in last year for the collection of information for contact tracing;
  • Not use the personal data for marketing or any other purpose;
  • Keep up to date with the ICO’s online guidance.
Go to Top