Privacy Website whinging

The problem of stats

No, not statistics in itself. The problem I am writing about is website statistics, and it started a long time ago.

Back in the day we simply used web server logs to analyse website traffic. One could see an incoming IP address and see where the associated browser went in the website. This worked well back then as websites were simple affairs and essentially all one big lump. Of course, this was an era when web servers were run almost in the spare time of those few IT (and indeed non-IT) that had any interest in the web. Back then I was not in the central IT team but I was afforded some latitude for experimenting with new things, especially when redundant hardware could be used. It was 1992 and the IMG tag was still in the realm of fantasy.

Later, there were two open source packages that became very popular, one called Analog and the other Linklint. The former produced statistics about website visitors and the latter could be used to check for errors, missing pages for example. Analog could, when provided with valid data estimate which countries visitors were coming from, very useful when your organisation markets itself globally.

Of course, the marketeers desired more. I was once asked to find out where everyone who only looked at our home page went next. Ok, where they visited another of our own web servers this was do-able, but the question was expanded to ask which of our competitors they visited next. This was new thinking, by which I mean thinking that one could not associate with any other media. For example, if the publisher of one newspaper wanted to know which other newspaper a person took after only glancing at their own it would need some form of physical surveillance, or perhaps a questionnaire. Neither would be particularly reliable, the questionnaire in particular.

Enter, stage left, Google Analytics. I had attended a launch event – well of a sort anyway – where a new product was described which would enable one to search all across the web. The name? Google. We had rudimentary search products by this time but nothing like what was being described. Bells were ringing, but rather quietly. I think we could see back then that all of a sudden content has value, just not to us. But, Google search aside we later got wind of Google Analytics ad the bells got louder amongst those of us who could already see future issues.

Google Analytics arrived with two quite major advantages. First, IT people no longer had to do anything, and second, the marketeers would have access to easy to understand graphs. But those of us who had this nagging voice about global surveillance and the fact that a corporate entity would effectively have access to data indicating where everyone browsed were ignored. Fast forward to the later times of the GDPR and the coming soon and already years late PECR replacement, cookie laws and all that and I resist shouting we told you so but we did and it was back in 1994.

Of course, there was still an issue. Ok, we have this useful global search facility now but how do we include local content which is not accessible from outside? Google again to the rescue. I had a pair of Google Search Appliances (GSA) installed, one in each of our main data centres and fronted by a NetScaler appliance. This provided resilience to the loss of a single GSA. Being on our LAN the GSAs were able to spider content that was restricted to local access and which therefore could not be spidered by Big Google. It also provided a useful facility whereby we could rank, to some extent, content and could apply keyword and key phrase matching to direct searches to specific content which would then appear top in the list of results. This little Google was far more friendly, not being bloated by the desire of the mothership to know all things of all people. Perhaps no surprise then that Google eventually retired the GSA product in favour of a cloud based provision. You guessed it, they wanted to know who was accessing all your secret stuff too.

Are we really where we are because marketing people wanted to know everything about everyone and companies, not just Google cashed in on it? Yes, I think so, and you can see just how far by those invasive adverts that themselves continually leverage new technologies to further invade. Remember pop-ups? And then pop-up blockers? And of course the whole cookie debate where a really quite useful facility enabling shopping carts among other things was hijacked in order to track us across webspace. Yeah, those. Remember the good old doubleclick cookie, adware, ad blockers, layers upon layers of this stuff. It is almost all because of marketing.

Advertising is here to stay and I have absolutely no issue with it. Although I generally ignore it I will admit to having seen something advertised that I was unaware of and which actually filled a need. But there is a constant battle between the marketeers and the techies which will continue because all of this, the Internet, the web, email is designed to help us and  be easy to use and to access. And that’s where it all went wrong but it could not really exist any other way.

Data protection Privacy

Proof of existence

In the march to get rid of paper records and have everything online it is becoming increasingly difficult to prove one’s details when signing up to, or dealing with a process still based on old school mechanisms such as requiring bank statements and proof of address. This, plus the fact that in becoming ever more online the World is requiring people to own and know how to use a mobile phone while having little, if any regard to the affordability of such an item. Cursory throw-away lines such as pointing people without online access at home to their public library is becoming increasingly moot with library closures and, not least with Covid19.

Examples of the complexities one may face are rife but here are two real-world examples, carefully crafted so as to not give any names away.

Person A works for organisation B and is changing roles within B. B needs two proofs of ID and two of address from A for the new role. However, A only has one proof of address, a bank statement. B states that a second bank account will do. A can open a bank account with another bank (C) online. C only needs a single proof of ID and a single proof of address, and A’s existing bank statement will suffice for the latter. Therefore, C has a lesser requirement for proof of ID and address than B and will provide a second proof of address to A to send to B. While one may argue that C has too low a burden of proof or that B has one too high one cannot get round the fact that B already has all the information It needs as it is A’s employer.

Another example. A needs government department B to change some details about property C. B will not accept the evidence available to A but government department D does hold valid details about C. B tells A to purchase these from D. Why? Both B and D are government departments. In this case A simply dropped the issue given they had informed B of an error in the records held by B regardless of whether or not B would do anything about it.

In both the above cases the organisation in question (B in each case) has access, directly or otherwise to the information that they require from A. In the first example via existing employment records, and in the second by simply requesting it from another department.

Now, in each case, if A had an official government-scheme ID card, as was proposed and shot to bits several years ago in the UK, B would not require any further information because all such information would be tied into the ID card provided to A. A hypothesis therefore exists that the establishment, governmental, quasi-governmental and commercial, are collectively making processes so hard for all the ‘A’s in the country that a future proposal for all citizens to be issued with ID cards will succeed by the mere fact that people are so fed up with having to find more exotic ways of proving their existence that they will not vote against it.

That cannot be right.

Cookies and tracking Privacy

Yup, more cookie observations

I have mentioned before that I have all cookies blocked on the phone. It’s a bit of a faff sometimes, I mean if I really need to access a site that requires a login or similar I need to re-enable cookies, do whatever I needed to do, then block cookies again, but it’s no big deal really.

And it is interesting to see what websites do not even need cookies to function, as well as which websites are so badly constructed that they do not even render anything with cookies blocked. Oh yes, and those websites that throw up a cookie banner but which still work once you are past that, of course with no actual cookies having been set.

As an example, I just visited a well known petition website to add my name. It showed the usual cookie warnings which I ignored and managed to sign the petition with no issues at all. I have an email confirmation so it worked just fine.

This brings me back to my question, should any website need to set any cookies before you enter a part that actually requires them to be set? I still say no.

Privacy Security Website whinging

Failed circular verification

So, you need access to a Google doc but when you log in Google senses that the PC has not been used before and is suspicious. It needs verification.

Ok, first off, this is not me. I have access to Google etc. And verification is a great idea. But there is a hole and as yet we’ve not found the bottom.

Verification is all very well provide you can actually do what is required. But what where your verification is your works telephone and you did not enter a mobile number, nor do you want to tell Google your mobile number anyway?

Google has ‘other ways’ to verify you. Following this path it sends you a code to an email address. The only email address in use was the works one. The code came but this is not enough. Google still wants to send a text to a phone – it still wants that mobile number you don’t want to put in. This ends up being circular, with another code being emailed and, once again another request for a mobile.

In the end it was quicker to ask the document owner to simply email it rather than trying to reach the bottom of the hole being dug by Google.

Data protection Internet surveillance Privacy Security

Correcting the panoptic vision

Data retention – those laws requiring providers to retain communications metadata – has come under attack again from the CJEU. After a chain of legislation fell foul to data protection laws over the decades the latest and greatest Investigatory Powers Act is now on very thin ice.

The punchline in Case C‑623/17 was twofold. First, the court determined that “national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security” falls under data protection legislation. And second, it found that the legislation precludes “national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”

Mind you, given the government’s actions of late including enacting legislation which is technically illegal, one wonders what difference it will make. Throwing Brexit into the mix may not actually help Them out here because unless changes are made this will greatly affect the UKs ability to transfer personal data as a third country to the EU. Perhaps Schrems, the destroyer of Safe Harbor and Privacy Shield will turn his attention on the UK!

Internet surveillance Privacy

US now wants your Facebook details when you visit

Lots of chatter today that the US now requires “nearly all applicants for U.S. visas to submit their social media usernames, previous email addresses and phone numbers”. (1) Essentially it requires visitors to give their social media information, phone numbers and e-mail addresses for the past 5 years.

The BBC carried a bit about this back in 2017 (2) which also stated that critics considered that checking up on these “could lead to extended, fruitless lines of inquiry or the collection of personal information not relevant to security checks”. Well, yeah, and I would need several continuation sheets to fill all my information in over that period.

A quick trawl through the visa waiver website suggests (a) that it is out of date because it does not indicate the requirement is now absolute and (b) clearly they will use this information to check up on you i.e. if your Facebook page marks you out as undesirable you’re out of luck. I did not delve further.

So your social media profile may now exclude you from entry. Of course, no undesirable type is capable of creating a fake Facebook profile are they…

So, is a blog social media? I’d argue not, yet I know this blog is spidered by Google (other spiders are available) regularly!

1 –

2 –


Facebook, WhatsApp, Messenger and Instagram

So, Facebook is planning to integrate WhatsApp, Messenger and Instagram ( ). Facebook has owned Instagram since 2010 and WhatsApp since 2014, and Messenger was a Facebook original. What could possibly be wrong with that? I mean, everyone would want them to, right? And they do own them.

However, for me it’s not so much about the doing but how it is done. Taking just WhatsApp, it always marketed itself as encrypted end to end (E2EE). This is a great concept in these days of rampant surveillance but at least currently, this is only true where messages stay within WhatsApp.

One of the founders of WhatsApp quit and announced that we should all delete Facebook. Riding on the wave of the Cambridge Analytica scandal this added flames to the already burning fire.

Now we learn of Facebook’s plans to better integrate WhatsApp, Messenger and Instagram, making it easy for users of each to interact with users of any of the apps. Presumably Facebook will be core to this data merging.  But what of E2EE?

Without searching for documentation on exactly how each app works E2EE is supposed to ensure that messages sent are encrypted before sending and not decrypted until receipt. Ok, this works fine in theory and if apps do what they say on the tin it works in practice provided you remain aware of limitations, not least that once a message is decrypted for display then anything that can get at that display can logically get at the decrypted message.

And here’s the thing. If, say, you send a message from WhatsApp to Messenger then unless the keys are shared between the apps the message will need to be decrypted (and possibly re-encrypted) in order to send between these disparate apps. Think of it this way: The sending WhatsApp app encrypts in a way that the receiving WhatsApp app can decrypt and the message is never touched in between. But if there is an exchange that takes a message from WhatsApp and sends to Instagram then unless Instagram can directly decrypt the encrypted WhatsApp message the exchange needs to decrypt the message prior to sending it onwards. This exchange will presumably be buried deep within Facebook and, if so (and bear in mind this is a worse case scenario – I expect these guys have thought this through and will uphold E2EE. And, yes, pigs really do fly) the decrypted text will be accessible to Facebook. This is my worry here. Mind you, when I want to discuss something in private I do use other means…

There are of course issues with E2EE after a message has been received if, say you synchronise to cloud storage. Messages here will not be re-encrypted by the original app as it is no longer playing. They may be encrypted somehow before storage in the cloud but there are no guarantees here and it will depend entirely on the cloud service being used. However, assuming you are security aware and do not send any such messages off to cloud storage, can one really rely on E2EE in any shape or form once apps begin to pass messages between themselves? I doubt it but time will tell. Maybe I’m being too opsec here…

Privacy Website whinging

Again with the photo ID

I need to collect some building supplies. These were ordered online ‘click and collect’, the emails and associated text comes to my phone, and yet I am told I need to bring photographic ID with me. I wonder if they will accept a photo of my passport photo on my phone… if there’s no queue I may well try that out!

Ok I can see the point, after all I already paid for the supplies and I would be really cross if someone faked my name and grabbed them.

Maybe if there was some government-backed ID other than a passport that can prove I am me… oh, wait.

Privacy Website whinging

Forcing the ID card debate?

I just caught sight of a document giving instructions to people who are attending an interview and claiming to be under ‘statutory identification rules’ but not giving any reference to them.

Bear in mind that these days we increasingly do everything online and, in some cases it actually now costs to get paper copies of bills when they can be delivered electronically.

First off, the attendee is required to produce either a passport, evidence of UK nationality, or a full driving licence. Af far as I am aware there is no law stating that I must drive or even hold a passport if I don’t travel outside the UK.

Next, two items are required out of a set: bank (etc) statement; credit card statement; original birth or adoption certificate; utility bill or council tax bill but not a mobile phone bill. it would appear that this aims to find out if your address is correct.

Finally you need to provide your National Insurance card or original letter.

So what if you have no passport, no driving licence, and all your bills are electronic? The only winner here is your NI number.

I’ve seen this kind of requirement elsewhere too. It always makes me wonder that either these various departments are so hopelessly out of date with the modern world that they have not yet caught up to the fact that paper bills are rare, or this is a ay to frustrate everyone so much that, if the ID Card debate is ever restarted everyone will accept them willingly!


Facebook woes

Facebook recently hit the headlines due to the Cambridge Analytica event. Along with this came tales of doom and gloom and suggestions that Facebook will lose up to 80% of its members. Of course, news comes and fades, and leaves current memory. People will continue to use Facebook although some small number will close their accounts. And so it goes. Like so many others I’ve always said only put online what you don’t mind the whole world knowing. Anyone sharing nude photos with their partners should take note – a good few celebrities included.

Personally I use Facebook to keep in touch with friends and, as such all my settings are friends-only. I don’t use it to share generally, other of course than where I might click ‘like’ to an open post or share on an open group. To me this is just a part of using Facebook and I do not put anything on there that I would not wish the world to see. Facebook is free and useful and we need to remember that, but also remember to pay attention to those privacy settings and check when Facebook change them.

If I want to have a private conversation I use WhatsApp, Signal or Telegram. If I want it to be really private, well, I go and say it face to face! Yes I hear you, if we want to discuss stuff we should not be spied upon, but we’re in the real world.