This morning, my wife noticed that Alexa was insistently flashing its little blue lights. "Alexa... Notifications?" "You have one notification. An item on your wishlist has dropped in price. The … is now only £…" And that's how my wife found out what I planned to get her for her birthday! What happened to cause this? I maintain several Amazon Wishlists® of things I want to buy. One of those is for presents I might want to buy my wife - and it is set to private. If you want to buy me a prese…
Continue reading →
A curious little data leak, but one I struggle to care about. Perhaps useful for a bit of fingerprinting? Websites can access your system's camera and microphone. That's how modern video conferencing works in the browser. In an effort to retain user privacy, the browser asks the user for permission to use the camera and mics. No audio or video will be sent until the user agrees. But some metadata gets shared before you agree! Visit the WebRTC Detection Experiment site. You'll notice that…
Continue reading →
Without your permission, or even your awareness, tech companies are harvesting your location, your likes, your habits, your relationships, your fears, your medical issues, and sharing it amongst themselves, as well as with governments and a multitude of data vultures. They're not just selling your data. They're selling the power to influence you and decide for you. Even when you've explicitly asked them not to. And it's not just you. It's all your contacts too, all your fellow citizens.…
Continue reading →
I'm an advocate for open data - both in my professional role and in a personal capacity. One of the hard things is succinctly explaining that "open data" means "non-personally identifiable data at a sufficient granularity to be useful without proving a risk to any individual's (or group's) reasonable expectations of privacy while still being useful to researchers and civic society." What a mouthful! So, the NHS releasing the number of times a doctors' surgery has prescribed…
Continue reading →
Every so often, I get a glimpse into the thought processes of someone who has a very different view of the world to me. I don't deal with people's personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called "Pay and Bonuses 2020". The email contained this doozy of a sentence: “Due to GDPR the attached file is password protected, I will send the password in a separate email” I shit you not. I checked the sender. They didn't work for my org…
Continue reading →
Another day, another data breach. The email addresses and travel details of about 10,000 people who used free wi-fi at UK railway stations have been exposed online. The database, found online by a security researcher, contained 146 million records, including personal contact details and dates of birth. It was not password protected. BBC News There's a really easy way to protect yourself from being a victim. Lie. When a WiFi provider asks for your email address, lie. When…
Continue reading →
Facebook has an interesting feature. It will let you see which companies have associated your off-Facebook activity with your Facebook account. If you visit: https://www.facebook.com/off_facebook_activity/ you'll see what companies are snitching on you to Facebook. Alice St⭕️llmeyer@StollmeyerEU#AirBnB shares your activity with #Facebook ?!Delete that @Airbnb app, folks! Mine didn't even allow me to change its Facebook connection 😡 isn't that against GDPR, @vestager & @dreynders?And delete yo…
Continue reading →
I recently went to a university hackathon, where students were trying to invent novel ways to help prevent pandemics. This was purely an academic exercise - they were not developing a fully-fledged app, nor were they creating official policies. I spent some time with one group discussing the privacy implications of what they had built. Thesis By monitoring nearby Bluetooth devices, we can tell who has come in to contact with an infectious person. We can warn people that they may have been…
Continue reading →
I've been ranting about Bitly for years! The ubiquitous link shortener had an interesting "feature" - add a + to the end of the URl and you could see all the statistics for the link. How many clicks, referers, location of users. Here's a blog post I wrote about it way back in 2011. I often used this feature to explore how popular companies and scammers were: Terence Eden is on Mastodon@edentThis is why we don't use bitly in our work.*Anyone* can add a + to the end of the URl and see where…
Continue reading →
Here's an interesting user-hostile pattern which could easily be avoided if programmers and business-people thought like regular humans. I have a Pioneer / Onkyo sound system. It's pretty nice and comes with a (not too crappy) Android app to let me remote control it. One day, the app updated itself. The changelog was the usual bland "bug fixes and improvements" message, but when I opened it, this happened: Why does a remote control need to know my location? I assumed it was for some…
Continue reading →
Code-sharing site GitHub automatically sends email notifications to users. If you've commented on an issue, you'll get an email each time there's an update. That's pretty handy. It also allows users to reply by email. The reply is then automatically posted in the issue thread. Also handy. But a little dangerous. Lots of people have email signatures which contain personal details. When these people reply to a GitHub notification they may unwillingly share their contact details in public. …
Continue reading →
A quick report into a nasty privacy vulnerability I found with the CAB. Unusually for me, this has no Internet component. Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses. I called, and was put on hold, then asked to leave a message. There's a popular myth that you can trick phone systems to sending your call to the operator if you hold down the zero button. So I rang back... "Please hold…
Continue reading →
