Privacy Roundup #0021 • April 2008
April 2008 was dominated by Britain's Phorm scandal, as deep packet inspection at the heart of the ISPs collided with wiretap law, the data watchdog and councils caught snooping on litterbugs.
1. BT and Phorm secretly tracked 18,000 customers in 2006
BT Retail intercepted and profiled the web browsing of about 18,000 broadband customers in autumn 2006 without their knowledge or consent. The harvested data was used to target advertisements for financial products, weight loss services and job sites at the unwitting subscribers.
2. FIPR: ICO gives BT 'green light for law breaking' with Phorm
The Information Commissioner's Office issued a statement on Phorm that the Foundation for Information Policy Research condemned as a green light for breaking the law. FIPR argued that BT and Phorm lacked the consent from website hosts and third parties needed to deploy the system lawfully.
3. Phorm admits 'over zealous' editing of Wikipedia article
Phorm removed factual passages from its own Wikipedia entry, including details of misleading customer trials and ethical concerns raised by major publications. The company later conceded it had been over zealous, having breached Wikipedia's conflict of interest policy by deleting accurate critical material.
4. EU demands Google slashes cookie retention times
The Article 29 Working Party, an influential European Commission privacy group, called on search engines to delete user cookies within six months rather than the year or more then common. The regulators held that personal data must be erased once it is no longer necessary for the purpose for which it was collected.
5. American ISPs already sharing data with outside ad firms
Several United States internet providers, among them Knology, Embarq and WideOpenWest, were quietly feeding their customers' browsing into behavioural advertising firms such as NebuAd. NebuAd put the reach of its deep packet inspection at roughly a tenth of all American web surfers, with privacy groups warning that burying notice in the terms of service fell far short of meaningful consent.
6. Information Commissioner: Phorm must be opt-in only
The Information Commissioner's Office revised its statement to insist that Phorm's advertising system operate on an opt-in basis to comply with data protection law. Of the three ISPs involved, only Carphone Warehouse had committed to obtaining explicit consent, while BT and Virgin Media had not.
7. Local council uses snooping laws to spy on three-year-old
Poole Borough Council admitted using the Regulation of Investigatory Powers Act, legislation meant for police and security services, to place a family with a three-year-old under surveillance over a school place application. Privacy campaigners called the move a disproportionate use of powers that undermined public trust in lawful surveillance.
8. BT's 'illegal' 2007 Phorm trial profiled tens of thousands
BT's covert summer 2007 Phorm trial affected far more customers than first disclosed, with estimates ranging from 38,000 to 108,000 users profiled without consent. Both BT and Phorm declined to give exact figures, with one BT executive describing the tracking as small scale.
9. BT's secret Phorm trials open door to corporate eavesdropping
The government refused to investigate BT's covert wiretapping despite its own experts concluding the interception likely breached criminal law. The case exposed a regulatory gap in which no authority would take responsibility for holding a private company to account for mass surveillance.
10. Oklahoma corrections website leaked thousands of social security numbers
A trivial SQL injection flaw in the Oklahoma Department of Corrections website left names, addresses and social security numbers of residents open to anyone with a web browser. The hole, exposed publicly in mid-April, had reportedly sat unpatched for around three years and even allowed records in the database to be altered.
11. Surveillance camera photos
Bruce Schneier highlighted a set of images, including work by the street artist Banksy, that comment wryly on the spread of surveillance cameras. The post used art and graffiti to puncture the culture of constant watching in public spaces.
12. Mr. and Mrs. Boring sue Google over Street View pics
Aaron and Christine Boring sued Google for invasion of privacy after its Street View cars photographed their Pittsburgh home and swimming pool from what they said was a marked private road. The couple, who had bought the property for its seclusion, sought damages and the removal of the images.
13. Chertoff says fingerprints aren't personal data
The United States Homeland Security secretary Michael Chertoff dismissed privacy concerns about sharing fingerprints between countries, claiming a fingerprint was hardly personal data because people leave prints on glasses and cutlery everywhere. Critics retorted that the privacy value lies in the association between a print and a named individual, not in the ridges themselves.
14. Six months on from HMRC, data losses still rising, says ICO
Six months after HMRC lost an entire child benefit database, the Information Commissioner reported that organisations had disclosed nearly a hundred further data breaches. Richard Thomas voiced his disappointment that the HMRC fiasco had not driven better data protection across the public and private sectors.
15. Home Office defends 'dangerously misleading' Phorm thumbs-up
The Home Office defended its guidance supporting the BT and Phorm Webwise system after FIPR branded the advice significantly incomplete and dangerously misleading. The department insisted its informal note was not a definitive statement of the law, which only the courts could give.
16. UK airports to trial face scan passport checks
The UK Border Agency announced that automated gates using facial recognition would be tested at British airports over the summer, matching travellers against the biometric data held in new passports. Civil liberties observers questioned both the accuracy of the technology and the spread of biometric checks at the border.
→ edri.org
17. Anti-Spyware Coalition probes data pimping
The Anti-Spyware Coalition set up a working group to decide how behavioural advertising firms such as Phorm and NebuAd should be treated under its spyware definitions. The industry body acknowledged that covert deep packet inspection of customers sat in a grey area where consent and risk were far from settled.
18. Spy regs used against dogs, litterbugs
A Press Association investigation found that British local councils had used surveillance powers under the Regulation of Investigatory Powers Act to pursue minor offences such as dog fouling and littering. Forty-six councils had invoked the powers 1,343 times, prompting calls for a review of how far the law reached.
19. Zango's adware fox desperate to guard net henhouse
The adware maker Zango asked an appeals court to overturn a ruling that gave the security firm Kaspersky immunity for classifying its software as adware that led to objectionable material. Kaspersky framed the case as a test of whether security vendors could keep blocking unwanted programs free from legal pressure.
20. MS supplies cops with DIY forensics tool
Microsoft confirmed it was distributing COFEE, a USB device bundling some 150 commands that let investigators pull internet history and decrypt passwords from a suspect's computer at the scene. The tool, already in the hands of thousands of officers in more than a dozen countries, raised questions about the soundness of such evidence and the danger of the kit leaking to criminals.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: