STE WILLIAMS

Rights Commish warns of creeping gov data menace

The government’s approach to the collection and use of personal data is “deeply flawed”, according to a report from the Equalities and Human Rights Commission (EHRC).

The EHRC has joined in long running complaints from privacy activists with the publication of a report, Protecting Information Privacy (105-page PDF/716KB), which says public authorities may be unaware they are breaking the law, as the complexity of the legal framework makes their obligations unclear.

It acknowledges that the demand for information is coming from the public and the private sectors, and says there is a risk of eroding the right to privacy.

The report finds that it is difficult for people to know what information is held about them, by which government agency or private sector body, or how it is being used. For example, as there is currently no law regulating the use of CCTV cameras it would be very difficult for someone to find which organisations hold footage of them.

It can be hard to check the accuracy of personal data held, to hold anyone to account for errors in the data or its misuse and to challenge decisions made about someone on the basis of that information. Calling any public or private organisation to account is made more difficult because people often may not know what their rights are or know when a breach of those rights has occurred.

The EHRC says that breaches of privacy are likely to get worse in the future as demand for personal information increases and as new technology is developed that is not covered by existing legislation or regulations. Piecemeal reform of relevant laws, such as the proposals in the Protection of Freedoms Bill, may not be sufficient to ensure people’s rights are protected.

In response, it makes a handful of recommendations:

  • Streamline the current legislation on information privacy so that it is easier for organisations to understand their responsibilities and simpler for citizens to know and use their rights.
  • Ensure that public bodies and others have to properly justify why they need someone’s personal data and for what purpose. Any requirement to use personal data for any purpose other than for which it was collected should go through a vetting process.
  • All public bodies should carefully consider the impact on information privacy of any new policy or practice and ensure that all requests for personal data are justified and proportionate.

Geraldine Van Bueren, a commissioner for the EHRC, said: “It’s important that the government and its agencies have the information they need about us to do their job, for example to fight crime, or protect our health. However, the state is holding increasing amounts of information about our lives without us knowing, being able to check that it’s accurate or being able to challenge this effectively.

“This needs to change so that any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified and in the meantime public authorities need to check what data they have and that it complies with the existing laws.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/ehrc_warns_of_data_threat/

Man reveals secret recipe behind undeletable cookies

A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser’s privacy mode.

The technique, which worked with sites including Hulu, Spotify and GigaOm, is controversial because it allowed analytics startup KISSmetrics to construct detailed browsing histories even when users went through considerable trouble to prevent tracking of the websites they viewed. It had the ability to resurrect cookies that were deleted, and could also compile a user’s browsing history across two or more different browsers. It came to light only after academic researchers published a paper late last month.

KISSmetrics CEO responded with a post on its website claiming the research “significantly distorts our technology and business practices.” The company also responded by adding a “consumer-level opt-out for those who wish to be entirely removed from all KISSmetrics tracking, going well beyond the options that other analytics companies provide.”

Ashkan Soltani, one of the researchers, stands by the findings and said KISSmetrics’ recently updated privacy policy doesn’t make it clear how users go about opting out of tracking.

At the heart of the technique is the practice of storing a unique identifier, known as an ETag value, in a browser’s cache and metadata folders. A piece of JavaScript hosted on kissmetrics.com accesses the serial number each time one of the KISSmetrics websites is viewed.

“It’s effectively acting like a cookie because with every connection to KISSmetrics, it will send a referrer header and the ETag value,” Soltani told The Register. “The ETag is effectively acting as a cookie. It has the same exact value of the cookie as well.”

KISSmetrics analytics combined the the ETag technique with several other controversial technologies that use cookies based on Adobe Flash and HTML5 to reproduce tracking cookies even after a user had specifically deleted them. Soltani and his colleagues first documented the sneaky move in 2009 and dubbed it cookie “respawning.”

Adobe responded by building an application interface that made it easy for users to delete Flash cookies using standard features in a browser’s menu. The advent of server-based scripts that pull up ETag data means that it’s once again trivial for analytics services to defy the wishes of visitors who don’t want to be tracked.

“The more accurately they can represent the number of uniques that have visited their sites the more value they can provide for their analytics customers,” Soltani explained. “That might mean you as a person who doesn’t want to be tracked uniquely trying to opt out. They’re incentivized to circumvent that opt-out.”

Soltani said the only way to block the tracking using the technique is to block all cookies and to clear the browser cache after each site visited. He has published a detailed technical description of the new technique here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/cookie_respawning_secrets_revealed/

WikiLeaks admits insider deleted loads of its data

WikiLeaks admits insider deleted loads of its data

  • alert
  • print
  • comment
  • tweet

We do have more than one source, honest. Well, we did

Free whitepaper – Creating Order from Chaos in Data Centers and Server Rooms

WikiLeaks has explained the non-appearance of Bank of America data it frequently promised to publish: a defector took the only copies with him when he left the organisation and has now deleted the files.

Daniel Domscheit-Berg left WikiLeaks last summer and took the documents with him following a dispute with Julian Assange. This seems to have centred on Berg’s relationship with a woman at Microsoft.

Berg was suspended at the end of August 2010 and, WikiLeaks claims, has tried to extract money from the group in return for their data. In January he set up his own version of WikiLeaks, but the site has been inactive since then. He also wrote a book about his time at the site.

Assange’s organisation confirmed on Twitter that Berg had destroyed 20 gigabytes of information from the Bank of America, the entire US no-fly list and US intercept arrangements for 100 companies as well as details and emails from 20 neo-Nazi groups and a German far right group. ®

Free whitepaper – Data Center Projects

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/wikileaks_data_lost/

Facebook wannabe rioters cop large helpings of porridge

Two men have been banged up for four years apiece, after unsuccessfully inciting violent disorder on Facebook.

Jordan Blackshaw, 20, of Vale Road in Marston near Northwich and Perry Sutcliffe-Keenan, 22, of Richmond Avenue, Warrington, were handed the harsh sentences at Chester Crown Court yesterday.

“If we cast our minds back just a few days to last week and recall the way in which technology was used to spread incitement and bring people together to commit acts of criminality it is easy to understand the four-year sentences that were handed down in court today,” said Chester police assistant chief constable Phil Thompson.

jordan blackshaw

Jordon Blackshaw

“In Cheshire, we quickly recognised the impact of the situation on our communities and the way in which social media was being used to promote and incite behaviour that would strike fear in to the hearts of our communities.”

The court hoped that the hefty sentences would deter others from writing similar stupid posts on social networks.

Perry Sutcliffe-Keenan

“Officers took swift action against those people who have been using Facebook and other social media sites to incite disorder,” added Thompson.

“The sentences passed down today recognise how technology can be abused to incite criminal activity and send a strong message to potential troublemakers about the extent to which ordinary people value safety and order in their lives and their communities. Anyone who seeks to undermine that will face the full force of the law.”

The two men pleaded guilty under sections 44 (intentionally encouraging or assisting an offence) and 46 (encouraging or assisting offences believing one or more will be committed) of the Serious Crime Act.

However, neither Blackshaw or Sutcliffe-Keenan were successful in their efforts to incite a riot in their home towns, after posting “events” and “pages” on Facebook.

The Crown Prosecution Service told the BBC that Blackshaw had called on Facebookers who were members of the “Mob Hill Massive Northwich Lootin'” group to “Smash d[o]wn in Northwich Town”.

That group has now been removed from Facebook.

The event created by Blackshaw urged people to meet on the afternoon of 9 August “behind maccies” – understood to mean the McDonald’s fast food joint – in Northwich town centre.

He also posted the first comment on the page, declaring: “We’ll need to get this kickin off all over.”

Only the police turned up at Maccie-D’s, however, and Blackshaw was promptly arrested.

Sutcliffe-Keenan, meanwhile, created a Facebook page calling on people to “riot” on 10 August. His message went out to 400 contacts on the site, but he took down the page the following morning, claiming the post had been a joke.

Similarly, no rioting took place as a result of Sutcliffe-Keenan inciting people to do exactly that in his home town of Warrington.

But both men were handed tough sentences yesterday for their actions on Facebook.

Their profiles no longer exist on the social network. But inevitably, a page in support of the pair has already appeared on Facebook.

The “Free Jordan Blackshaw Perry Sutcliffe-Keenan” page currently has 20 people who “like” it.

However, many of the posts on the site are heavily abusive comments. So presumably the Facebook police will see this and take down the page.

There’s also a separate page urging Facebookers to campaign “Against Jail Sentences for Rioters Looters”.

It currently has one solitary fan. ®

[We submit for your consideration the term ‘flashplod’ for a planned flashmob event where only police turn up – apparently now quite common – ed]

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/facebook_riot_four_year_sentences/

Profit-disaster CEO at Blue Coat: I’ll get my coat

Blue Coat boss Michael Borman has fallen on his sword following declining sales and profits in fiscal first quarter 2012.

The web security and WAN optimisation minnow saw sales come in at $109.5m (£66.7m) down 9 per cent sequentially and 11 per cent on last year, as profits fell 70 per cent quarter-on-quarter to $2.7m (£1.6m) and 81 per cent on Q1 2010.

The exit of Borman, who only joined the firm early September last year – he had previously been CEO at Avocent – was confirmed at the same time as the numbers.

“Our first quarter results were disappointing as they came in below our expectations,” said David Hanna, chairman at Blue Coat. “We are taking the necessary actions.”

His replacement, Gregory Clark – most recently president and CEO at enterprise software group Minicom – is set to join Blue Coat from the middle of next month in the same roles.

The Q1 financials were impacted by “go-to-market challenges” and “weakness in the US Federal vertical” which pushed down revenues and profits, the firm said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/blue_coat_ceo_quits/

App developer slurped kids’ data without consent

A mobile applications developer will be fined $50,000 for allegedly collecting and disclosing children’s personal information without parental consent, the US Federal Trade Commission (FTC) has said.

The US consumer regulator settled charges against W3 Innovations and its owner, Justin Maples, over the company’s alleged violation of the US’ Children’s Online Privacy Protection Act (COPPA) and the FTC’s rules that ensure enforcement of the Act, it said. A court has yet to approve the voluntary agreement which would withdraw the threat of criminal charges.

The agreement would also prohibit W3 and Maples from violating COPPA in the future and force them to delete all personal information collected in violation of the laws, the FTC said.

“According to the [FTC’s] complaint, [W3 and Maples] did not provide notice of their information-collection practices and did not obtain verifiable parental consent before collecting and/or disclosing personal information from children. The FTC charged that those practices violated the COPPA Rule,” the FTC said in a statement.

COPPA requires that “the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child … obtain verifiable parental consent for the collection, use, or disclosure of personal information from children”.

W3, operating as Broken Thumbs Apps, developed games apps for kids, including Emily’s Girl World, Emily’s Dress Up and Emily’s Runway High Fashion.

The Emily apps “encouraged children to email ‘Emily’ their comments and submit blogs to ‘Emily’s Blog’ via email, such as ‘shout-outs’ to friends and requests for advice. The FTC alleges that the defendants collected and maintained thousands of email addresses from users of the Emily apps”, the FTC said.

“In addition to collecting and maintaining children’s email addresses, the FTC alleges that the defendants also allowed children to publicly post information, including personal information, on message boards,” the FTC statement said.

More than 50,000 Broken Thumbs Apps were downloaded via Apple’s App Store and the company collected personal data of thousands of children under the age of 13 without consent, the FTC claimed.

The FTC voted to refer the case to the US Department of Justice, which filed the FTC’s complaint and proposed a settlement agreement with a district court in California. The court will now decide whether to approve the settlement.

“The FTC’s COPPA Rule requires parental notice and consent before collecting children’s personal information online, whether through a website or a mobile app,” FTC chairman Jon Leibowitz said.

“Companies must give parents the opportunity to make smart choices when it comes to their children’s sharing of information on smartphones,” Leibowitz said.

The FTC said it was the first time it had been involved in a case against an apps developer.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/app_dev_collected_kid_data_says_ftc/

German authorities park tanks on Facebook’s lawn

Facebook has once again been criticised by a data protection authority in Germany for siphoning off information about the country’s citizens to servers based in the US.

This time the company’s “like” button and “pages” feature have been attacked by DPA officers in the Northern German federal state of Schleswig-Holstein.

On Friday, Germany’s Independent Centre for Privacy Protection (ULD) called on website operators based in that region to “shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’-button from their websites,” according to a statement on the DPA’s website.

It said it had concluded that those features violated the German Telemedia Act as well as the Federal Data Protection Act.

The Schleswig-Holstein DPA noted that anyone using the functions within the dominant social network would have their “service traffic and content data” transferred to servers located in the US.

“Whoever visits facebook.com or uses a plug-in must expect that he or she will be tracked by the company for two years,” it claimed.

“Facebook builds a broad individual and for members even a personalised profile. Such a profiling infringes German and European data protection law.

“There is no sufficient information of users and there is no choice; the wording in the conditions of use and privacy statements of Facebook does not nearly meet the legal requirements relevant for compliance of legal notice, privacy consent and general terms of use,” the ULD argued.

It said it expected website owners based in Schleswig-Holstein to bar such user data being passed on to Facebook by “deactivating” such services.

Formal complaints could be brought against public organisations that fail to comply, said the ULD, while fines could be slapped on private outfits who flout the rules, which the authority plans to introduce by the end of next month.

“ULD has pointed out informally for some time that many Facebook offerings are in conflict with the law. This unfortunately has not prevented website owners from using the respective services and the more so as they are easy to install and free of charge,” said ULD commissioner Thilo Weichert.

“Institutions must be aware that they cannot shift their responsibility for data privacy upon the enterprise Facebook which does not have an establishment in Germany and also not upon the users.”

The commissioner added that the Schleswig-Holstein state was continuing to analyse the “privacy impact” of Facebook applications.

“Users can take their part by trying to avoid privacy adverse offerings,” the commissioner added.

“To internet users, ULD offers the advice to keep their fingers from clicking on social plug-ins such as the ‘like’-button and not to set up a Facebook account if they wish to avoid a comprehensive profiling by this company. Profiles are personal information; Facebook is requiring its members to register their actual name.”

This is Germany’s latest privacy crackdown against Facebook.

A few weeks ago, Hamburg’s data protection authority warned the social network that it could be fined if the company failed to delete the “biometric data” it harvests from its facial recognition tech, which was quietly rolled out to the service in Europe earlier this year.

Facebook quickly rejected the claim that it wasn’t meeting its obligations under EU data protection law.

The company isn’t actually breaching any Brussels’ data protection law as of today. But legislation is expected in the autumn from the EU that will be applied to any business operating in Europe.

“We firmly reject any assertion that Facebook is not compliant with EU data protection standards. The Facebook Like button is such a popular feature because people have complete control over how their information is shared through it,” said the firm in an emailed statement.

“For more than a year, the plugin has brought value to many businesses and individuals every day. We will review the materials produced by the ULD, both on our own behalf and on the behalf of web users throughout Germany.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/schleswig_holstein_facebook_dislikes_like_and_pages/

Anonymous/LulzSec chick-lit MP kid threat pooh-poohed

Chick-lit authoress and politician Louise Mensch, somewhat famed for being fired from EMI due to “inappropriate dress” and copping to possible drug use and bad dancing in her salad days, says that hacktivists from Anonymous and/or LulzSec have threatened her children by email.

The Tory MP, who has penned various lighthearted lipstick’n’bonking-themed ladies’ reads under the name Louise Bagshawe, tweeted:

Had some morons from Anonymous/LulzSec threaten my children via email. As I’m in the States, be good to have somebody from the UK police advise me where I should forward the email. To those who sent it; get stuffed, losers.

Oh and I’m posting it on Twitter because they threatened me telling me to get off Twitter. Hi kids! ::waves::

I’ve contacted the police via the House of Commons and the email is with them now. I don’t bully easily, kids. Or in fact at all.

Security-firm mouthpiece Graham Cluley (of Sophos) pooh-poohed the notion that Anons or LulzSec-ers might be behind the outrage, commenting:

In my opinion it doesn’t sound very likely that the threatening email (which hasn’t been released) was from Anonymous or LulzSec. Neither group has a history of engaging in physical violence, preferring to sit behind computer keyboards instead.

Furthermore, it seems very odd that Anonymous or LulzSec would send an email, when their normal practice is to post a message on Twitter or a link to a statement on PasteBin.

Mensch previously achieved modest fame after being contacted by “an investigative journalist” (unidentified) following her participation in political grillings aimed at exploring the extent of skulduggery in Fleet Street journalism. The supposed journo referred to claims that she had possibly taken drugs and committed dance blunders while working at EMI in the 1990s.

The punchy MP stated on that occasion:

Although I do not remember the specific incident, this sounds highly probable … since I was in my twenties, I’m sure it was not the only incident of the kind; we all do idiotic things when young. I am not a very good dancer and must apologise to any and all journalists who were forced to watch me dance that night at Ronnie Scott’s …

[This was] not why I was fired by EMI. “Leaving work early” and “missing the odd day at work” along with “inappropriate dress” were the reasons quoted to me.

So there. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/louise_mensch/

Skype bug could expose users to malicious code attack

The latest version of Skype for Windows contains a security vulnerability that allows attackers to inject potentially dangerous code into a user’s phone session, a German security researcher has reported.

The XSS, or cross-site scripting, vulnerability in Skype 5.5.0.113 is the result of the voice-over-IP client failing to inspect user-supplied phone numbers for malicious code, researcher Levent Kayan said. As a result, attackers might be able to exploit the bug to inject commands or scripts that hijack the machine running the program.

“An attacker could for example inject HTML/JavaScript code,” Kayan wrote in an advisory published on Wednesday. “It has not been verified though, if it’s possible to hijack cookies or to attack the underlying operating system.” An attacker might also exploit the vulnerability to remotely execute malicious JavaScript files on external websites, he said.

Screen shot demonstrating XSS bug in Skype 5.5.0.113

A screen shot from Kayan’s website showing the injection bug in action

The unsafe content is displayed when users view a booby-trapped profile. The malicious profile is created by inserting a JavaScript command or web address where a phone number is expected. The reported vulnerability is eerily reminiscent of an XSS bug Kayan reported in an earlier version of Skype last month. Skype representatives didn’t immediately respond to an email requesting comment on the persistent code injection vulnerability.

Such vulnerabilities open the possibility of creating self-replicating attacks if they can be used to target users contained in each victim’s contact list. As each new user is exploited, the worm spreads virally by attacking a whole new set of people. A vulnerability reported in May for Mac versions of Skype was described as wormable, though there are no reports it was ever exploited in the wild. It’s unclear if the current vulnerability is also self-replicating.

Microsoft is in the process of acquiring the popular internet-based phone service. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/skype_security_bug/

PHP users warned to stay away from latest update

Maintainers of the PHP scripting language are urging users to avoid an update released last week that introduces a serious bug affecting some cryptographic functions.

The flaw in version 5.3.7 involves the crypt() function used to cryptographically hash a text string. When using the command with the MD5 algorithm and some salt characters to help randomize the resulting hash value, the program returns only the salt, instead of the salted hash. The bug doesn’t appear to affect the crypt() function when the DES or Blowfish algorithms are used.

“If crypt() is executed with MD5 salts, the return value consists of the salt only,” a bug report published on Wednesday stated. “DES and Blowfish salts work as expected.”

Despite the advisory, PHP maintainers released the update the following day. It fixed several security vulnerabilities, including a buffer overflow flaw on overlog salt in the crypt() function.

On Monday, the maintainers advised users to steer clear of the update.

“Due to unfortunate issues with 5.3.7 users should wait with upgrading until 5.3.8 will be released (expected in few days),” they wrote.

PHP gives webmasters the ability to render dynamically generated web pages that are customized to hundreds of thousands of variables, including where a visitor is located, the type of browser he’s using, and when the pages are being accessed. The freely available open-source program is used by millions of websites, so a vulnerability in its source code has the ability to cause widespread security problems.

For those who can’t wait until the next release, fixes are available in intermediate versions available here and here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/php_security_warning/