Categories
Data protection Privacy

Proof of existence

In the march to get rid of paper records and have everything online it is becoming increasingly difficult to prove one’s details when signing up to, or dealing with a process still based on old school mechanisms such as requiring bank statements and proof of address. This, plus the fact that in becoming ever more online the World is requiring people to own and know how to use a mobile phone while having little, if any regard to the affordability of such an item. Cursory throw-away lines such as pointing people without online access at home to their public library is becoming increasingly moot with library closures and, not least with Covid19.

Examples of the complexities one may face are rife but here are two real-world examples, carefully crafted so as to not give any names away.

Person A works for organisation B and is changing roles within B. B needs two proofs of ID and two of address from A for the new role. However, A only has one proof of address, a bank statement. B states that a second bank account will do. A can open a bank account with another bank (C) online. C only needs a single proof of ID and a single proof of address, and A’s existing bank statement will suffice for the latter. Therefore, C has a lesser requirement for proof of ID and address than B and will provide a second proof of address to A to send to B. While one may argue that C has too low a burden of proof or that B has one too high one cannot get round the fact that B already has all the information It needs as it is A’s employer.

Another example. A needs government department B to change some details about property C. B will not accept the evidence available to A but government department D does hold valid details about C. B tells A to purchase these from D. Why? Both B and D are government departments. In this case A simply dropped the issue given they had informed B of an error in the records held by B regardless of whether or not B would do anything about it.

In both the above cases the organisation in question (B in each case) has access, directly or otherwise to the information that they require from A. In the first example via existing employment records, and in the second by simply requesting it from another department.

Now, in each case, if A had an official government-scheme ID card, as was proposed and shot to bits several years ago in the UK, B would not require any further information because all such information would be tied into the ID card provided to A. A hypothesis therefore exists that the establishment, governmental, quasi-governmental and commercial, are collectively making processes so hard for all the ‘A’s in the country that a future proposal for all citizens to be issued with ID cards will succeed by the mere fact that people are so fed up with having to find more exotic ways of proving their existence that they will not vote against it.

That cannot be right.

Categories
Cookies and tracking Data protection Website whinging

Crumbling cookies

With the fines and threats imposed by France on Google and Facebook it was interesting to note that both Facebook and, possibly unrelated eBay had logged me out overnight and I had a new-looking consent form presented by Facebook in the browser and eBay in the app. The Facebook app has not changed and I am still logged in.

So I had a look at Google again, specifically google.co.uk. The cookie-wall – I’m calling it that because you need to agree to get past it – looks the same as the last time. Google sets two cookies on entry, one (NID) which my cookie crunching app defines as a tracker, and another called CONSENT with a 2038 expiry date. After a short while it sets another called SNID. More success on the iPhone where I keep cookies blocked. here, as before the cookie-wall appears and then vanishes.

My take on this is to question why Goole is setting these three cookies before I have consented to anything and, if they suggest that their product will not work without then why does it work without? To my simple mind nothing should set any cookies until I agree, and even then the only cookie that should be set if I do not agree is one indicating this so it knows next time. Of course, strictly necessary cookies are excepted, but I would argue that no such cookie is needed until I explicitly request a service for which they are required. This would, or at least surely should never happen on a websites entry page, with the exception of sites that require a login before one can access, and even there surely there will be a not-logged-in page where no cookies are required until one logs in.

Categories
Data protection Internet surveillance Privacy Security

Correcting the panoptic vision

Data retention – those laws requiring providers to retain communications metadata – has come under attack again from the CJEU. After a chain of legislation fell foul to data protection laws over the decades the latest and greatest Investigatory Powers Act is now on very thin ice.

The punchline in Case C‑623/17 was twofold. First, the court determined that “national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security” falls under data protection legislation. And second, it found that the legislation precludes “national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”

Mind you, given the government’s actions of late including enacting legislation which is technically illegal, one wonders what difference it will make. Throwing Brexit into the mix may not actually help Them out here because unless changes are made this will greatly affect the UKs ability to transfer personal data as a third country to the EU. Perhaps Schrems, the destroyer of Safe Harbor and Privacy Shield will turn his attention on the UK!

Categories
Data protection

GDPR

Amidst the general GDPR panicking I received some spam today which stated that due to the new regulation I now need to consent to receiving more spam. Oh, if only they were all like this…

Categories
Data protection Privacy

Google cloud

There is a story about how Google blocked access to a load of documents in their cloud provision because an automated check determined they are in breach of Google’s terms of service. Of course, everyone reads these don’t they (actually they are written in a fairly easy to understand language unlike many, so no excuse really)

But my interest here is how Google (or any such provider) can protect itself given it can automatically check stuff in the cloud. If something got to court I wonder if a judge would request that Google somehow prove that it did not know a given document was illegal, and how it could prove this.

Categories
Data protection Internet surveillance Privacy

Weaknesses in MAC address randomisation

Typical networked devices, including the ubiquitous smartphone have a now well known address – the IP address used to route information across the Internet. But there is another, less well known address which can be far more revealing of the actual device. This is the MAC (Media Access Control) address. Where the IP address is needed to enable end to end communication across the Internet, the MAC address deals with physically addressing devices on the local network. Unlike the IP address which is stamped on every packet of data, the MAC address does not bother with such things. It is a low level address, in Level 2 of the OSI model, or in the physical layer in IP terms. It deals with moving data – whatever that may be – between connected things. Examples include your smartTV and home router, or your smartphone and a wifi hub. Your smartphone passes data to the wifi hub using the wifi hub’s MAC address and vice versa. The wifi hub in turn passes the data onwards to, say your home router using the home router’s MAC address and vice versa. And so on.

MAC addresses are 48-bit addresses broken into two parts. The first 3 bytes (24 bits) are known as the Organisationally Unique Identifier (OUI) and companies purchase and register these with the controlling body, the Institute of Electrical and Electronics Engineers (IEEE). The second half is a unique serial number assigned to a Network Interface Card (NIC) (or most probably these days a chip, not an actual card).

MAC addresses were designed to be globally unique but the first byte contains a one bit flag to indicate if the address truly is global, or local. Local addresses are by definition not globally unique. A second type of identifier, the Company ID is formed from the same first 3 bytes but with the flag set to local.

Now, the first part of the problem is these first three bytes identify the manufacturer or company, so you can see how a MAC address can be used in a useful way by a surveilling agency. Even with such generic data, when faced with a room full of Android owners the one iPhone owner will stick out.

But there is a far more major issue. Although these MAC addresses are meaningless in wider Internet terms they are nonetheless supposed to be globally unique. And there is the issue. Were a global adversary able to inspect every thing in the Internet looking for MAC addresses then a device, a smartphone say could be traced across the planet.

To get round this issue operating systems can randomise the MAC address. This was intended as a privacy enhancing technique but unfortunately researchers have discovered multiple flaws in the various randomisation techniques used by system makers which enabled them to defeat the randomisation of MAC addresses in 96% of Android phones. They too teir work further to examine an attack method which can identify the global MAC address of a device even when it is in a randomised state.

See https://arxiv.org/pdf/1703.02874v1.pdf

See also http://papers.mathyvanhoef.com/asiaccs2016.pdf and https://lirias.kuleuven.be/bitstream/123456789/547642/1/wisec2016.pdf