Not only did they have my email address, they also had a copy of one of my phone numbers. I asked them where they got it from and they said:

Your phone number came from Parsely, Inc (wpvip.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform.

I've never done any business with Parsely. They have no reason to have my phone number and absolutely no permission to share it with other organisations.

Back in 2021, Parsely became part of WordPress VIP. Ah yes, our old "friends" at Automattic with their somewhat lax attitude to privacy.

I took advantage of WordPress VIP's GDPR policy and sent a terse but polite "Hey, WTAF?" to them. Their response was quick:

Thanks for reaching out. We are currently investigating our systems to locate any personal data regarding your request. We appreciate your patience.

After a bit of prodding, they eventually replied with:

It appears that we obtained your contact information as a result of a meeting you had with a representative for the WPScan service around August 5, 2022. WPScan is owned by our parent company Automattic.

We have no record of Parsely, Inc. (which is no longer in existence) or WPVIP Inc. (the owner of the Parse.ly service) having any relationship with Apollo.io.

We also have no record of Parsely, Inc. or WPVIP Inc. having sold or otherwise provided your information to any third party.

I have no memory and no record of meeting anyone from WPScan - although I concede it is possible I did as part of a previous job.

But even if it was in an email signature when I contacted them that still doesn't explain how it made its way to Apollo for them to give to spammers everywhere. Was it a hack? A data leak? A treacherous employee? A deliberate sale? A sneaky app update? Or maybe just Apollo lying to me.

I don't care any more. I'm just so tired of shitty companies treating personal data as a commodity to be traded, sold, repackaged, and abused.

A few weeks ago I signed up for BrowserStack as I wanted to join their Open Source programme. I had a few emails back-and-forth with their support team and finally got set up.

A couple of days later I received an email to that email address from someone other than BrowserStack. After a brief discussion, the emailer told me they got my details from Apollo.io.

Naturally, I reached out to Apollo to ask them where they got my details from.

They replied:

Your email address was derived using our proprietary algorithm that leverages publicly accessible information combined with typical corporate email structures (e.g., firstname.lastname@companydomain.com).

Wow! A proprietary algorithm, eh? I wonder how much AI it takes to work out "firstname.lastname"????

Obviously, their response was inaccurate. There's no way their magical if-else statement could have derived the specific email I'd used with BrowserStack. I called them out on their bullshit and they replied with:

Your email address came from BrowserStack (browserstack.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform.

The date of collection is 2026-02-25.

So I emailed BrowserStack a simple "Hey guys, what the fuck?"

I love their cheery little "No spam, we promise!"

Despite multiple attempts to contact them, BrowserStack never replied.

Given that this email address was only used with one company, I think there are a few likely possibilities for how Apollo got it.

• BrowserStack routinely sell or give away their users' data.
• A third-party service used by BrowserStack siphons off information to send to others.
• An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.

There are other, more nefarious, explanations - but I consider that to be unlikely. I suspect it is just the normalisation of the shabby trade in personal information undertaken by entities with no respect for privacy.

But, it turns out, it gets worse. My next blog post reveals how Apollo got my phone number from from a very big company.

Be seeing you 👌

What?!

It is yet another of those baroque standards which spits out things like:

cid.uri.arpa.
;;       order pref flags service        regexp           replacement
IN NAPTR 100   10   ""    ""  "!^cid:.+@([^\.]+\.)(.*)$!\2!i"    .

Essentially, it is a way to store contact details within a DNS record (rather than in a WHOIS record).

Back in the early 2000s, the dotTel company opened the .tel TLD with a promise that it could be used to store your contact details in DNS⁰. The idea was simple, rather than storing my phone number in your address book, you'd store my domain name - https://edent.tel/

If I updated my phone number, changed my avatar, or deleted an old email address - your address book would automatically update via DNS. Nifty!

If you didn't know a company's phone number, you'd dial example.com on your phone and it would grab the phone numbers from DNS. Wowsers trousers!

You can see an example by running:

dig justin.tel NAPTR

You'll get back something like:

NAPTR   100 101 "u" "E2U+web:http" "!^.*$!http://justinkhayward.com!" 

A phone number stored in a NAPTR would look something like:

NAPTR   100 100 "u" "E2U+voice:tel" "!^.*$!tel:+442074676450!" .

Brilliant! But there's a problem - aside from the somewhat obtuse syntax! - and that problem is spam.

Those of you old enough to remember putting your unexpurgated contact details into WHOIS know that the minute it went live you were bombarded with sales calls and scammy emails. So putting your details directly into DNS is a bad idea, right?

.tel thought they'd come up with a clever hack to prevent that. As they explain in the .tel privacy paper, records can be individually encrypted.

• Alice has her contact details on alice.tel
• Bob has his contact details on bob.tel
• Alice agrees to share her phone number with Bob.
• Alice looks up Bob's public key from bob.tel.
• Alice encrypts her phone number.
• Alice generates a new DNS record specifically for Bob - bob123456.alice.tel
• Alice shares the name of the new record with Bob.
• Bob downloads the NAPTR from bob123456.alice.tel and decrypts it with his private key.
• Bob periodically checks for updates.
• Alice can decide to revoke Bob's access by removing the data or subdomain.

Clever! If convoluted. You can read more about the way friendships and public keys were managed and some more technical details.

Are there better ways?

Multi Recipient Encryption

When people say "you can't give Government a secret key to your private messages" they are technically incorrect¹. Multi Recipient Encryption is a thing.

Here's a very simplified and subtly wrong explanation:

• Alice creates a temporary public/private keypair.
• Alice encrypts some text with her temporary public key - resulting in e.
• Alice encrypts the temporary private key with Bob's public key - resulting in k1.
• Alice encrypts the temporary private key with Charlie's public key - resulting in k2.
• Alice publishes the concatenation of e+k1+k2
• Bob downloads the file, decrypts his version of the key, and uses that to decrypt the message.
• Charlie does the same.

In this way, both recipients are able to decipher the text but no one else can. So can we just shove an encrypted record in the NAPTR? Not quite.

There are two main problems with this for DNS purposes.

1. The encrypted size grows with every recipient.
2. Every time a new recipient is added, everyone needs to download the data again even if it is unchanged.

Generally speaking, DNS records are a maximum of 255 characters - although they can be concatenated.

An extra record could be used to say when the plaintext was last updated - which would let existing recipients know not to download it again.

Monitoring for changes would allow a user to know roughly how many recipients had been added or removed.

What other ways could there be?

What else could be done?

Here's the user story.

• I want a friend to subscribe to my [phone|email|street|social media] address(es).
• I must be able to pre-approve access.
• When I change my address, my friend should get my new details.
• I need to be able to revoke people's access.
• This should be done via DNS².

Using an API this would be playing on easy mode. A friend (or rather, their app) would request an API key from my service. I would approve it, and then ✨magic✨.

DNS isn't technically an API although, with enough effort, you could make it behave like one³.

So - how would you do it?

The best thing about QR codes is that they're free. It doesn't cost any money to generate one. They're an open standard with no middle-men. Users can go direct to your site!

Except… Some people want to insert themselves into your conversation. Sometimes it is for malicious reasons, sometimes it is greed for user data, and sometimes it is just incompetence.

Let's take this example - a health centre wants people to register. Scan the QR and get started. Fab!

Photo shamelessly stolen from a LinkedIn contact.

But what happens when you scan the QR code? Rather than taking you directly to an authoritative and trusted NHS.UK domain name, it sends you through https://register-with-gp.ht1.uk/.

Who on earth are HT1.UK?

According to their website, they're an automation company who are "on a mission to make the NHS the most advanced healthcare system in the world."

Good for them. But what information are they collecting about users who traverse through their QR codes? If you take a look at their privacy policy you won't find anything specific. Never mind, let's email their friendly privacy team. What's their email address?

Of course, emailing that gets you back this error:

Emoji! How fun!!

So I emailed the new address to see what information they were collecting. Their response wasn't particularly informative.

because Healthtech-1 is a processor of information and the GP practice is the data controller any requests about how your data is handled should be made to the GP practice who can inform you of the information you requested.

…

I can confirm that there is no information stored about users who scan the QR codes and no cookies placed.

But, of course, users have no way of verifying what this company is storing about them. There's simply no reason to use an untrusted 3rd party like this to provide either a QR code or an intermediary website.

Why this is a problem

Trust is everything. People are constantly being scammed. One of the great things that GOV.UK did was to say "This here is our trusted brand. If you don't see GOV.UK in the URl bar - don't trust it!"

The NHS should be doing the same. Every hospital, surgery, and clinic should have an NHS.UK domain name. When a user sees a link to a healthcare service which doesn't go through NHS.UK, they should feel suspicious and not click on it.

There is no way as a regular user to know that HT1.UK is a trusted domain. What about HT1.biz? HT2.UK? NHS.info.ly? What happens if HT1 go bust or have their domain name hijacked?

The NHS must stop the proliferation of these 3rd party domain names. They need to reinforce users' understanding that NHS.UK is the only trusted domain name for official NHS services.

I'm sure HT1.UK aren't doing anything nefarious with the data of people who visit their QR codes. I'm sure they're not inserting tracking cookies or selling my data. But I shouldn't have to be sure. All users should be pointed directly to an NHS.UK domain without having to risk whether their details are going via a dodgy site.

Here endeth the rant.

Terence Eden is on Mastodon

@edent

If the recent Twitter hack had exposed they way you voted on every Twitter poll, how would you feel?

(There is no suggestion that this has happened, I'm just curious about people's relationships to voting and privacy.)

---

Meh. So what?: (167)
167
Hmph. That's annoying.: (68)
68
Umm… This could be bad!: (32)
32
Delete account & run away: (8)
8

---

Most of the tech world that I interact with has moved to Mastodon and other ActivityPub-based social networks. Decentralised social media is great. It allows you to be fully in control of what you post, what you see, and how you interact with others.

Of course, there are downsides. No centralised authorities means verification is difficult. Abuse (of all sorts) can only be dealt with in a piecemeal fashion. And anonymity takes a bit of a nosedive.

When you block or mute someone, that information might leak to the offending user. By its nature, you need to send a message to someone else's server in order to interact with them.

So what about polls on the Fediverse? This poll, for example, is gathering sensitive personal information.

@farooqkz@blackrock.city

Farooq Karimi Zadeh

Let's see how many Muslims are out there on Fediverse. Are you a #muslim?

#Islam #Religion #God

Please boost it so we can have more accurate statistics.

---

I am a Muslim: (62)
62
Not a Muslim: (3,696)
3696

---

In order to vote on the poll, your server sends a message to the poll's server saying "I am user @someone@example.com. I wish to vote for option X. Here is an HTTP signature confirming my message."

Does the receiving server abide by GDPR? Who knows!

The specification around questions is a little ill-defined and the Mastodon documentation is also a bit vague. Neither of them discuss privacy.

There is an excellent blog post by Humberto Rocha looking at Mastodon Poll in ActivityPub. It shows quite clearly that a vote is just a normal message which is passed onto the receiving server.

Services like Mastodon won't let the poll's author see who voted for which option. But that's by convention. There's nothing technical to stop them. Indeed, I understand that the Akkoma social network does show users how users voted.

Of course, on a centralised service like Facebook or Twitter your vote is still recorded somewhere. It can be subpoenaed or looked at by unscrupulous engineers.

Privacy is, of course, a social construct. In some communities it might be sensible to have all votes on the public record. In others, it could be deadly. Some countries have laws mandating strong privacy protections, others less so.

Conduct yourself with that in mind!

Too many of these sorts of books end up being a list of woes and end with "someone should do something, I guess?". Understanding Privacy is different. All the way through the mantra is "You are someone! You do something! And here's how..."

Digital privacy is, I think it is fair to say, not a universally loved topic. Too often it is seen as shrill pedants lobbing fines at unsuspecting companies. The reality is somewhat more prosaic. This is a journey we all have to go on - wherever we work in the digital world.

It would be easy for this book to descend into just being a mega-long checklist. But, while there are a fair few lists, they are backed up with practical steps which can be taken by both people and companies. Some of them are wickedly witty:

Please use https://, because seeing http:// this late in the game is not the sort of ’90s flashback I enjoy.

I especially enjoyed the reframing of certain privacy mavens as "privacy ableists" - those who "criticise a person with a disability for owning an Alexa device, taking no regard for the benefit it has brought into the disabled person’s life."

I also got emotional whiplash after hearing some people described as "privacy shamers" - those who "harass anyone who is doing their best to change tech companies from the inside as being collaborators on par with the Vichy regime."

The book is full of interesting links out to further resources. Although, I should point out that links like https://smashed.by/cnilrights go via the short.io service. Which probably makes me a privacy pedant 😆.

This is an empowering read. It isn't designed to make you feel hopeless at the state of the world but, instead, it asks you to reflect on what you're doing and what you should be doing.

The final question should be the one which weighs on you heaviest: How am I going to feel about myself if I continue to work for this company and develop this product?

Read this book as soon as you can.

I was trying to explain why link shortners like bit.ly and ow.ly weren't sensible for Government use. They didn't seem to particularly care about the privacy implications or the risk of phishing. I needed to take a different tack.

"So, you know how .uk is the UK and .de is Germany, right?"
"Yes."
"What country do you think .ly is for?"

There was some consulting of ISO 3166-1 alpha-2 whereupon the blood drained from their face and they stepped outside to make a phone call.

A little while later, the National Cyber Security Centre published an explainer about why they weren't using bit.ly any more.

Throughout my time in the Civil Service I advocated for the use of .gov.uk URls everywhere. They're a trusted destination for users, they're under Government control so are less likely to be hijacked, and they don't require users to give their data to third parties.

I helped the Government Communication Service write "Link shorteners: the long and short of why you shouldn’t use them."

Today, in the post, I received six QR codes for Government services. Let's take a look at them.

The Good

Policing Surrey have a QR code which points to surrey-pcc.gov.uk/...

Excellent! 10/10! No notes.

Woking Council send out this code which use qr.woking.gov.uk

Brilliant! The use of the qr. subdomain means they can easily track how many people follow the link from the code.

The Bad

Childcare Choices is a leaflet which is, I assume, shoved through everyone's letterbox. All the URls in the leaflet say gov.uk² - but what happens when you scan?

Our old friend enemy Bitly. A user scanning this has no idea where that code will take them. They cannot access the content without giving their data away to Bitly.

Surrey also sent me a leaflet with two different QR codes.

There are many reasons not to use .io. Of particular interest is the scnv.io privacy policy which, if you click that link, you will see is missing from their website! What does this company do with the data of people who scan that code? No one knows!

The Ugly

Surrey police started so well, but the back of their leaflet is a major disappointment.

Aside from using an unintelligible Bitly link, the QR code is inverted. The QR standard is very clear that the codes should be black-on-white. Some scanners will have difficulty scanning these white-on-dark codes. They may look æsthetically pleasing, but it's a pretty rubbish experience if you can't scan them.

Now What?

I've been writing about QR codes for 17 years! I'm thrilled that they've finally caught on. But, like any piece of technology, they need to be used sensibly. The rules are pretty straightforward - mostly boiling down to testing your codes and keeping them simple.

Is there a risk risk of QR hijacking? Possibly. The best defence is to train users to look for a trusted URl.

In this case, using link shorteners is training users to be phished. If they are used to official Government QR codes going to weird locations, they won't notice when a scammer tries to send them to a dodgy site.

Please practice safe QR generation!

I wanted to download the Android apps to my phone - without using the Google Play Store. The VPN app is on F-Droid but none of the others are. So, because I'm lazy, I Googled "Download Proton Mail".

I landed on https://protonapps.com/.

It looks like a genuine site. But is it? .me is signed by Let's Encrypt, whereas .com is signed by Amazon. There is no link from Proton.me to ProtonApps.com. There's nothing I can find that shows it is genuine.

But, let's assume for the moment, that it is legitimate. What happens when you try to download the Android apps from it?

• The email app page links to the ProtonMail repository on GitHub - there's no link from the .me site to their GitHub. But I'm reasonably sure that's them.

• The VPN app page leads to a different GitHub organisation! I don't know why they're different organisation. It isn't linked to from the the .me site, nor from the https://protonvpn.com/ site (yet another domain!)

• The calendar app page links to ProtonMail.com - is that them? The .com redirects to the .me, but anyone can set up a redirect.

• The drive app page and the Pass app page do both link to Proton.me!

So there are multiple domains - Proton.me, ProtonApps.com, ProtonMail.com, ProtonVPN.com - and there are at least 2 different GitHub organisations.

How do you tell which ones are legitimate? I signed up and paid on the .me page - so I have high confidence in it.

The official Proton Mastodon account says the ProtonApps.com site is legitimate (and the Mastodon account is verified by the .me site). But you can't expect users to chase through a dozen different pages and enquire on social media just to verify which page is safe.

This is my plea to all developers - simplify your customer-facing infrastructure to make your domains consistent & trustworthy.

I put in a random number, and it refused to let me in.

Putting in a genuine O2 number let me through. So what is it doing to validate numbers?

It is making an API call to this URl:

https://www.o2.co.uk/o/customer/mods/lookup/447700900123

After a bit of testing, this is how I think it works.

If you give it an O2 phone number, it replies with:

{"type":"ONE"}

If you give it a number which isn't on O2, it gives:

{"type":"ZERO"}

A number it doesn't recognise gives:

{"message":"Unable to find the requested resource."}

A malformed or incomplete phone number gives:

{"message":"Something's wrong. Please try again later."}

Responsible Disclosure?

As far as I can tell, O2 no longer have a Bug Bounty or Responsible Disclosure offering. So I'm publishing it here to let people know.

It is possible that someone could use this API to disclose a (minor) piece of personal information about you - namely whether your phone number is on O2 or not. I don't think that's particularly sensitive, but it is probably worth knowing.

Safelinks allow your administrator, or someone at Microsoft, to stop you visiting a link which is malicious or suspicious. Rather than going to example.com, your link now goes to safelinks.protection.outlook.com/?url=example.com.

Hurrah! If you accidentally click on a naughty link you won't cause chaos and ructions.

Except, there's a tiny problem. People like to copy and paste links that they receive. Someone sends an email which says "here's the link to that report you asked for" which then gets copied into a document or a web page.

For example, I was reading this official document from the UK's Department of Health and Social Care. Slap bang in the middle is a link to another report:

That forces everyone who visits that link to go through Microsoft's proxy. That might protect users if a link later becomes suspicious. But, more likely, it will be used in analytics to further profile users who click on links. It also undermines a user's ability to see the final destination of a link unless they can manually URl-decode content in their head.

It appears that every large organisation which uses Microsoft is prone to this failure. Lots of UK Government departments publish content with safelinks:

The US Military too:

It's all over Twitter:

And there are hundreds of academic works infested:

Look, I get why people do this. They copy a link from an email, paste it in, click it, and it works. No one writes raw HTML by hand, nor should they have to. Our WYSIWYG tools work really well and hide all the mumbo-jumbo. Copy editors look at text; not hypertext. It's only nerds like me who hover over a link before clicking on it.

Perhaps I should stop worrying? Perhaps it is OK that Microsoft intercepts the clicks from people all around the world? Perhaps they can competently run a proxy which detects and blocks inappropriate content? Perhaps they won't ever abuse that facility?

Here's my prediction. In the next five or so years, Microsoft is going to accidentally shut off *.safelinks.protection.outlook.com and a million copy-and-pasted links across the web are going to break.

Think I'm over-reacting? A decade ago, Microsoft got rid of their MS Tag product and, shortly after, all their proxy links were shut off. Similarly, other proxies like McAfee have shut down with little warning.

Or maybe Microsoft's sub-domains will be hijacked?

Either way, if you work in digital publishing, please make sure that your links point directly to the content that you want; not to Microsoft's safelinks service.

A few years ago I was sat in the proctology waiting room. Anyone who knew me would have seen I was waiting for an bum doctor. They may not have known my specific complaint, but the laser-display board announced that my appointment was with Doctor X. Anyone can look up Doctor X online and see that they specialise in removing foreign objects which have mysteriously found their way inside a person. Whither privacy?

But that's the kind of trade-off we make. It would be expensive to have individual waiting cubicles. And most people aren't famous enough to be recognised in public. And the chances of your neighbour also being in hospital are slim. Any you might just be waiting for a friend. So we sort of hand-wave it away because it is a small but difficult problem to solve.

Anyway, a few months later, I received a letter from the hospital. It was delivered in a plain envelope with no hospital markings. The return address was a suitably anonymous bulk mailing service. There were no warning markings to say this was a medical letter. There is no way that my postman, my housemate, or my cleaner would have known what the letter was about.

But see if you can spot the incredibly subtle mistake that was made:

Printing a physical letter on paper and then folding it in such a way that both the address is displayed and the paper cannot slip is a surprisingly hard problem. I get letters from lots of organisations where this has happened.

But, before lighting up the pitchforks, what's the real harm that has occurred here and how could it be prevented?

My postie now knows some of my medical info. That's assuming they bothered reading past the address, and that they remember anything specific from the 500 letters they had that day. My postie seems nice enough - but I don't doubt that a postal worker somewhere could use this to blackmail or intimidate a vulnerable person.

Anyone with access to my letterbox, and who gets there before me, also has sight of my information. Again, I tend to trust the people I let in. But not everyone is so lucky. A sufficiently abusive person would have opened the letter regardless of what they saw.

A fully paper envelope with no plastic window reduces one specific class of error - but may be too expensive to implement at scale. And, of course, if there's no window then there is the chance that the wrong letter might go into an envelope addressed to someone else.

Would going digital solve this? Email is mostly end-to-end encrypted between the big providers, so it would be unlikely that anyone saw it as it was being delivered.

Most email clients show the first few lines of a message - and some of them will show that preview as a pop-up on a locked phone. So anyone with access to your device could see something untoward. A sender name and subject have to be useful to the receiver - but is "FROM: Proctology. RE: The object we pulled out of you" too revealing?

An email could be fairly anonymous and link to a download portal of the real message. But that's quite a lot of work for a user to do. And an abuser could still have access to your device.

An email encrypted with your public key and send with a cryptic subject line is the sort of theoretical magic that geeks love, while forgetting that most people reuse their passwords and leave their laptops unlocked in the coffee shop.

What I'm getting at is that there's no perfect solution. Only incremental changes which may introduce a new class of problem.

Jessica Rose

@jesslynnrose

The function of a system is its output.

If you have dog grooming machine that sometimes smashes puppies and you keep running it, you're in the dog smashing business.

If you work for a mass surveillance company that keeps enabling genocide and undermining democracy...

---

The whole thread is worth reading. One thing she doesn't cover is how you should respond when someone proposes to implement a puppy-smashing machine.

If you don't agree with puppy-smashing (and there are two sides to every argument) then it's very important to be polite and civil while discussing the issue - because puppy-smashers are real people with valid feelings.

For example, you could say to them:

• I'm not so sure that's a great idea. Please would you reconsider?
• Hey, just so you know, not everyone is down for puppy smashing. Any thoughts on addressing that?
• Interesting. But have you read Smith et al's work on differential smashing of pets?
• You're the good guys! Is there any way you can exclude my puppy from being smashed? He's a service dog.
• Perhaps you could only smash puppies 10% of the time? No worries if not!!!

And so on. That way you get to have a calm and respectful decision about the the hard work people are doing. Even if someone is threatening to smash your puppy, you need to keep a cool head and make sure you don't raise your voice.

Right?

No.

The correct response is "What the actual juddering fuck is wrong with you? Don't be such an absolute thundercunt! I'm going to call the authorities right now, you literal scumbag!"

It was Robert Jones, Jr. who said: "We can disagree and still love each other. Unless your disagreement is rooted in my oppression, your denial of my humanity, my right to exist."⁰

I don't think you need to be civil to those people who are deliberately trying to harm you. Sure, you might get a more positive reaction if you gently cajole them or politely help them see the error of their ways. But sometimes it is important to let people know vociferously just how much their plans will hurt you and your puppies.

A relatively unknown hardware company has just released one of the first "fitness trackers" which can measure a wearer's physiology. As well as counting steps, it now has the ability to measure heart-rate and a bunch of other things. They think that athletes and exercisers will be interested in knowing these vital statistics. But they're wondering if there's another market they've missed.

My employer's pitch is simple - livestream the cardiac rhythms of football players back to their coaches. If Ted Lasso can see that Jamie Tartt is faltering, substitute him.

In a sense, it is no different than the tech that's used in Formula 1 racing. Team engineers can see the motor's exact RPM, temperature, and wear. Every facet of the car's performance is analysed to extract marginal gains in performance. And, incidentally, to prevent catastrophe.

With advances in technology, it would be possible to measure a player's oxygen saturation, their alertness, and lactic acid build up. Having complete understanding of athletes' health would be a literal game-changer.

We could go even further. How about we give that data to the TV broadcasters? How does it enhance your experience of the game if you can see the beats-per-minute of the striker and goalkeeper in a penalty shootout?

Our pitch-deck had a slightly more professionally produced version of this graphic:

Would bookmakers like to know that the star player had exhausted themselves? Would stats nerds like to know who ran the furthest? Would players like to scream abuse at the lazy players?

In the end, the pitch failed on three counts:

1. Battery power just wasn't good enough to continually transmit real-time data across a football pitch. Not without making the device much bulkier and heavier.
2. Worries about eavesdropping. Unless the signals were extremely well encrypted (not likely given the primitive technology and power requirements) then the opposition team could gather valuable insights on their rivals.
3. Player privacy. Professional athletes are humans. They want (and deserve) privacy. Perhaps they have a minor heart condition that they don't want the world knowing about?

I genuinely don't know enough about sports or the psychology of fans to know if this would have been successful. All the customer research seemed to think that it would have been a big hit with gamblers. I daresay with all the other augmented reality stats which currently deface the screen it would have fitted right in.

But, to most people, it felt needlessly invasive. There's still a huge "ick factor" around seeing other people's medical information. Players, we were told, just wouldn't go for it.

As the technology matures, I can't help wondering how long it is before it becomes ubiquitous. Would we demand politicians display their galvanic skin response so we can tell if they're lying? Should all first dates mandate arousal detectors to ensure compatibility? Will your employer let you take a loo break only if you can prove that you're bursting?

Strange times ahead...

Let's say you're bob@social.boring and, one day, you decide to move your account to foxyfun@furryextreme.yif. Well, with a few clicks of a button, all of your old followers are now following your brand new account. You're still following all your old friends. The accounts you wanted to block and mute are still silenced.

Perfect!

Except...

What happens to the people who blocked and muted you?

I ran an extremely scientific poll on Mastodon:

Yeah... No one knows and there's no real consensus.

Scenario 1 - Blocking

I blocked Bob because he keeps sending me unsolicited duck pics.

From my point of view, I want Bob's new account to be automatically blocked.

Both Bob and his server know that I've blocked him. When he tries to view my profile, he is told to piss off.

Bob's server should maintain a list of accounts which have blocked him. When he initiates an account transfer, his old server should tell my server to update its block list to Bob's new account.

I might be a bit confused seeing an unknown account in my blocklist - but my server could explain what's going on.

This, to me, seems like a sensible solution. If it isn't implemented then it is trivial for malicious users to evade blocks at no cost to themselves; they get to keep their followers.

OK, now we get on to the harder problem.

Scenario 2 - Muting

I muted Bob because he's an arrogant arsehole.

From my point of view, I want Bob's new account to be automatically muted.

The problem is, Bob doesn't know that I've muted him and neither does Bob's server. It is my server which silently drops all the tedious mansplaining posts sent by him.

If my server tells Bob's server that he is muted - that's unwanted information leakage. I don't want Bob to know I'm ignoring him.

There are two possible solutions:

1. When my server receives a message from foxyfun (whether to me or someone else) it should be told the user's old account name. That way my server can update any mute lists for the old account. That might involve a lot of database thrashing.
2. Alternatively, when Bob changes his account, his server could broadcast to all federated servers the account change. That's probably a bit inefficient and failure intolerant.

Personally, I think this makes sense. If I don't want to hear from someone then it shouldn't matter if they've changed account. They're still the same prat. But I'll admit this feels like a lot of extra work for the protocol and servers.

Alternatives

Bob could create a brand new account to get past my mutes and blocks. But, in doing so, he loses all his followers.

Bob's change of persona could represent a new start and maybe I should give him a second chance? But life's too short for that.

I could be less thin-skinned and accept that Bob gets to impose himself on me. But that doesn't suit my mental health requirements.

I could take 30 seconds out of my day to block the new account. But computers should be automating this sort of tedious busywork.

Thoughts

If you have any burning thoughts on this - whether you agree or disagree - I'm very interested in hearing them. Please leave a reply here or on Mastodon.

The IAB's tech lab is working on a system called UID2. It's a more advanced way to track you no matter what you do and no matter what steps you take to avoid it.

UID2 is a framework that enables deterministic identity for advertising opportunities on the open internet for many participants across the advertising ecosystem. The UID2 framework enables logged-in experiences from publisher websites, mobile apps, and Connected TV (CTV) apps to monetize through programmatic workflows.

Basically, they tie your email address to everything you do. Signed in to watch a TV show? Better sell that info to the advertisers so when you sign in to a different site they can send you targetted messages. Yuck.

One of the ways privacy conscious users normally avoid this is by subtly altering their email addresses for each service they use. For example, GMail ignores any dots in your username. So if you are Han.Solo@gmail.com you can also use H.ansolo@gmail.com or ha.ns.ol.o@gmail.com. A user might sign up to a service and use a specifically "dotted" email address. If they later start receiving spam to that address, they know the service has leaked or sold their info.

You can go one step further and use plus addressing. For example han.solo+amazon@gmail.com and han.solo+github@gmail.com. They both will appear in your normal inbox, but are unique for every service you use. Again, this is great for making sure that someone hasn't sold your email address to spammers.

The IAB hates this.

As part of the UID2 API they specifically describe how an advertiser must "normalise" their users' email addresses.

This means h.a.n.solo+iab@gmail.com becomes plain old hansolo@gmail.com

I think this is pretty shitty behaviour. If someone has deliberately set their email address in this form it is because the user does not want their identities to be commingled.

Last year, I asked them to respect users' privacy and reverse this change. They finally responded:

Thank you for your input, we thought long about this update and ultimately as it stands today it is not a change we would like to add.

So, there you have it. If you want to take even the smallest step to preserve your privacy - tough. If you want to track which IAB members are using your data - tough. If you want to track users even if they don't want to be tracked - the IAB is happy to help.

If you want to opt out of this - and you trust the IAB to handle your data safely - you can submit your email address and phone number to https://transparentadvertising.org/.

Personally, I recommend installing the uBlock advert blocker on all devices which support it.

So, the exam body requires me to install ProctorU. It's a service which lets someone watch you through your laptop camera while you do the exam. Creepy, but I get it. They also want to see your screen to make sure you're not alt-tabbing. A bit grim, but I get it. They also want complete control over your laptop, including the ability to silently transfer files and run arbitrary programs. LOL WAT?!?

Here's the "helpful" video showing what's involved. It is a 6 minute long privacy invasion.

But, OK, there's no way my employer (the Government) is going to let me install this malware on their machine. No worries, I'll use one of my Linux laptops. After all, I am doing an exam all about Linux security! Let's check their system requirements.

Soooo… No Linux, no Chromebook, no Android tablet. I can't even spin up a Windows VM?

The thing is, the training provider - which sells these courses to businesses - know that most business laptops won't allow ProctorU's spyware on them. It's just too risky. Their solution?

And if you don't have a personal Mac or Windows machine?

Any of you want to lend me a laptop so I can install invasive spyware on it? No? Didn't think so!

I asked the course provider what options they had for me - and I'm waiting to hear back. It looks like I can go to one of their regulated test centres and take the exam there.

Hmmm - spyware on my computer, or catch COVID from a shared PC? Choices… Choices…

"Alexa... Notifications?"

"You have one notification. An item on your wishlist has dropped in price. The … is now only £…"

And that's how my wife found out what I planned to get her for her birthday!

What happened to cause this? I maintain several Amazon Wishlists® of things I want to buy. One of those is for presents I might want to buy my wife - and it is set to private. If you want to buy me a present, you can view my public wishlist. But my private ones are private to me.

If you go to edit your wishlist's privacy settings, you'll see this small disclaimer:

Going over to https://www.amazon.co.uk/alexashopping/notification there's this toggle switch.

So, there's no way to switch off notifications from private lists. You have to switch them off for everything.

In this case, the harm was minimal. I'll have to find something else as a surprise gift. But imagine if I had a "private" wishlist for something embarrassing or upsetting? I don't remember ever switching on the option for my Alexa to announce to my entire household that there is a price-drop on my weird fetish.

I've written before about anti-social app design. The tech bros working on apps often don't consider that people have families. And that they live with people that they want to keep secrets from.

According to the UK's Office of National Statistics - only 28% of households contain a single occupant. The majority of people live with other people.

What to do next

If you use private wishlists, and have an Alexa, you have a few of options.

1. Stop using Amazon's wishlists, and keep a separate list elsewhere.
2. Turn off all price drop notifications.
3. Write a ranty blog post and hope a product manage at Amazon takes notice.

Pre-empting Your Comments

Before responding to this post, please consider the following:

"Why didn't you read the disclaimer?"

I set up this wishlist long before the Alexa was invented. The disclaimer didn't exist then.

"You should have gone through every single option and made sure you were happy!"

That's unrealistic. Options should be set to preserve privacy by default. Asking the user to go through dozens of different pages of options to prevent their privacy being violated is an unreasonable burden.

"This is your fault for being tied in to Amazon's ecosystem!"

Possibly.

jEfF BeZoS Is aLwAyS LiStEnInG To yOu!!1!!!!111!

As long as he gives me cheap same-day delivery, IDGAF.

Websites can access your system's camera and microphone. That's how modern video conferencing works in the browser. In an effort to retain user privacy, the browser asks the user for permission to use the camera and mics. No audio or video will be sent until the user agrees.

But some metadata gets shared before you agree!

Visit the WebRTC Detection Experiment site. You'll notice that without you agreeing, the site is able to determine how many microphones you have:

And how many cameras you have:

Having two cameras is perhaps a reasonable proxy for being a mobile phone / tablet. One main cam, one selfie cam.

Multiple microphones could be an indicator that the user is on a laptop. Built in microphone and an external USB microphone. Although some phones also present multiple microphones.

The names of the devices aren't sent until after you agree to the permission prompt.

There are inconsistencies between browsers:

It is useful to present to the user a selection of input devices. But does the site need to know how many devices are attached before permission has been granted?

The way the iPhone does it, is to present a fake set of data - one mic and one camera - until permission has been granted. Then it shows the real information.

Personally, I think the browser should only indicate a boolean to the site that AV inputs are available. Once permission is granted, then the site can request the number of devices and their names.

What do you reckon?

Without your permission, or even your awareness, tech companies are harvesting your location, your likes, your habits, your relationships, your fears, your medical issues, and sharing it amongst themselves, as well as with governments and a multitude of data vultures. They're not just selling your data. They're selling the power to influence you and decide for you. Even when you've explicitly asked them not to. And it's not just you. It's all your contacts too, all your fellow citizens. Privacy is as collective as it is personal.

This is an extremely timely and important book. Unlike the similarly themed "The Age of Surveillance Capitalism" this is completely readable by a non-academic. Utterly free of highfalutin verbiage. It is refreshingly plain. Véliz sets out her thesis and logically follows through all the arguments.

Véliz expertly takes the reader through a journey which is intended to radicalise them into taking privacy seriously. Your data is being used without your consent and it is having a disastrous impact on you and your community.

Again, unlike Zuboff's "Surveillance Capitalism", this contains practical actions an ordinary person can take. As well as political actions - it contains concrete steps. I'm happy to say they're things I've talked about:

• Use and Ad Blocker.
• Give fake details online.
• Use a password manager.
• Lie to public WiFi providers.
• Use a unique email for every service.

It is essential that you read this. Even if you think you understand the arguments for privacy, there will be stories in here which will shock and enrage you. It will give you the tools to defend yourself and sets out a decent plan for the future.

As Véliz says:

"We use fire doors to contain possible fires in our homes and buildings, and watertight compartments to limit possible flooding in ships. We need to create analogous separations in cyberspace."

Grab a copy, now.

So, the NHS releasing the number of times a doctors' surgery has prescribed Paracetamoxyfrusebendroneomycin is probably OK - unless it is only ever recommended for one-legged Welshmen over the age of 60, and you're the only person in the catchment area who meets that description.

I've found a semi-open data set which make me slightly nervous.

In the UK, you can change your gas and electricity supplier. There are hundreds of different gas suppliers. Which one supplies your home?

Ofgem, the energy regulator, tells people to use the FindMySupplier.energy website to find their supplier.

Type in your postcode and house number, tick a couple of boxes, and promise that you are who you say you are:

And then you can see your gas supplier and Meter Point Administration Number.

This isn't, technically, open data. The licencing terms are restrictive, there's no complete dataset available, and no public API. But it is open for anyone to view. There's nothing stopping you typing in a neighbour's address, or a stranger's address.

Is this a problem?

I'm not sure if my commercial relationship with a supplier is personal data and should be protected. It feels personal.

There's a risk someone could use it in a phishing attempt. Telephoning me and claiming to be my supplier could be a good way to get me to hand over money or other information.

If I work for Energy Supplier X but get my gas from their rival, that could be embarrassing.

Could someone call my energy supplier and claim to be me? Would they be able to socially engineer any more data out of them?

There are lots of niche suppliers. I'm not aware of any which are, for example, marketed exclusively at LGBT+ customers. But I'm sure someone more nefarious than me could find something that a customer might be uncomfortable being revealed.

Is this too remote a risk? All I can say is that I find it kinda creepy that anyone could look up my details, and I kinda worry about how they could use that information against me.

Why is this available?

There's a good reason why this dataset is available in the sort-of open. When you move house, you may not know who the energy supplier is. Finding out the supplier means you can quickly get set up and be billed correctly.

Similarly, the UK has an open database for Car Tax and MOTs (car safety certificates). Type in any car's registration plate, and you can see if its tax is up-to-date and what it failed its last MOT for. Again, useful if you're buying a vehicle. But also handy if you're a nosy neighbour.

In Norway, you can look up anyone's salary and see how much tax they paid. Sounds like fun! But is it a win for open data? Perhaps, but because it encouraged snooping and other unhealthy behaviour, people now have to log in using their national ID number. You can't be anonymous while you search.

As the Norwegian website says:

You can also check if someone has searched for you. If you search for anyone, they can see that you did.

In the UK, we don't have a National ID scheme. So we can't have something like that. Perhaps it would put off illegitimate users of your gas data? Or perhaps it would be intimidating to see just who'd looked up your details?

Open Data is hard. It's hard to strike a balance between useful and creepy. I don't know where the balance is with this data set.