Another privacy nightmare. An airline wants its cabin crew to know your birthday and favourite drinks order, to better personalise its service to you. My first instinct is to recoil in horror. It sounds like every dystopian sci-fi epic. But why do I feel this way? Partly it is the lack of genuine personality behind the interaction. It is the Uncanny Valley of sincerity. When Facebook wishes you happy birthday, it is a purely mechanical response - not an outpouring of genuine feeling. There's …
Continue reading →
I'm going to tell you an anecdote which is a gross oversimplification of a complex topic. In the early half of the twentieth century, certain physicists made breakthroughs in relativity, quantum mechanics, and nuclear energy. Many of these scientists were Jewish. The Nazis called these heretical ideas "Jewish Science" and suppressed their teaching. Jewish physicists based in Germany fled the oncoming war. Many ended up in the USA where they worked on the Manhattan Project to develop nuclear …
Continue reading →
An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04. When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.) This says "Hello new site, I was referred here by this previous website." This has some privacy implications - the administrator of a web site can see which website you were on. Usually this is fairly…
Continue reading →
If you have a TingTag, your location is being broadcast without encryption! Earlier this year I purchased and reviewed the TinTag. I've spent the last month trying to get hold of the company to report a serious privacy problem with their Android app. I've not received an adequate response, so I'm publishing this post to let affected users know about the issue. The TinTag is a BLE tracker. It's designed to attach to your keys or bag. An app on your phone can send a message to the tag,…
Continue reading →
My wife likes to set reminders for herself in Google Calendar. Recently, she added a note to her personal Google Calendar reading "Email alice@example.com to discuss pay rise" and set the date for a few months from now. She'd had a discussion with her boss, Alice, and they'd agreed to talk about salary later in the year. A few moments later, Alice sent her a "Meeting Accepted" email. What... The...? Although pretty embarrassing, it could have been a lot worse. It could have been "Email…
Continue reading →
I'm not a big fan of URL shortners - bit.ly, t.co, goo.gl, ow.ly, etc - I understand the need for them, but they seem to offer a fairly poor service in terms of privacy and usefulness. Take this recent example from Vodafone. Aside from the obvious downsides (user doesn't know where the link will take them, if it's compatible, link looks like gobbledegook, etc) there is a rather more interesting issue. Goo.gl - along with many other URL shortners - give everyone access to your statistics. …
Continue reading →
I'm trying out the new Android app for Path - the new social networking service. I've discovered something rather troubling... Most of the app's communication with the Path servers is over SSL. This means that no-one can see the data you're sending and receiving. If there are snoops on your network, they will only be able to see the encrypted data flowing back and forth. In general, this is a good thing. Apart from images. If your friends are posting images, they are sent over http. No…
Continue reading →
Quick Summary Twitter's secure API hides the contents of the tweets you are reading. But it doesn't hide the images of those you converse with. Raised as Issue 2175. A Bit More Detail Twitter has a secure (HTTPS) and insecure (HTTP) API. When calling the secure API, all the content of the returned message (tweets) are encrypted. Eavesdroppers only see the cipher-text - essentially garbage. However, within that cipher-text are links to insecure resources. For example, a user requesting…
Continue reading →
(Disclaimer - I used to work for Vodafone. I don't any more.) A rather nasty flaw with Vodafone's "My Account" service was recently pointed out by Denny de la Haye. Vodafone will quite happily tell you the email address of any customer who has set up the "My Account" facility. Denny@dennyUgh. @VodafoneUK's website exposes my email address to anyone who knows (or randomly enters) my phone number on the 'forgot password' page.❤️ 0💬 0🔁 013:14 - Wed 22 September 2010 Vodafone offer a "My Accou…
Continue reading →
