Categories
Data protection Privacy

Proof of existence

In the march to get rid of paper records and have everything online it is becoming increasingly difficult to prove one’s details when signing up to, or dealing with a process still based on old school mechanisms such as requiring bank statements and proof of address. This, plus the fact that in becoming ever more online the World is requiring people to own and know how to use a mobile phone while having little, if any regard to the affordability of such an item. Cursory throw-away lines such as pointing people without online access at home to their public library is becoming increasingly moot with library closures and, not least with Covid19.

Examples of the complexities one may face are rife but here are two real-world examples, carefully crafted so as to not give any names away.

Person A works for organisation B and is changing roles within B. B needs two proofs of ID and two of address from A for the new role. However, A only has one proof of address, a bank statement. B states that a second bank account will do. A can open a bank account with another bank (C) online. C only needs a single proof of ID and a single proof of address, and A’s existing bank statement will suffice for the latter. Therefore, C has a lesser requirement for proof of ID and address than B and will provide a second proof of address to A to send to B. While one may argue that C has too low a burden of proof or that B has one too high one cannot get round the fact that B already has all the information It needs as it is A’s employer.

Another example. A needs government department B to change some details about property C. B will not accept the evidence available to A but government department D does hold valid details about C. B tells A to purchase these from D. Why? Both B and D are government departments. In this case A simply dropped the issue given they had informed B of an error in the records held by B regardless of whether or not B would do anything about it.

In both the above cases the organisation in question (B in each case) has access, directly or otherwise to the information that they require from A. In the first example via existing employment records, and in the second by simply requesting it from another department.

Now, in each case, if A had an official government-scheme ID card, as was proposed and shot to bits several years ago in the UK, B would not require any further information because all such information would be tied into the ID card provided to A. A hypothesis therefore exists that the establishment, governmental, quasi-governmental and commercial, are collectively making processes so hard for all the ‘A’s in the country that a future proposal for all citizens to be issued with ID cards will succeed by the mere fact that people are so fed up with having to find more exotic ways of proving their existence that they will not vote against it.

That cannot be right.

Categories
Cookies and tracking Privacy

Yup, more cookie observations

I have mentioned before that I have all cookies blocked on the phone. It’s a bit of a faff sometimes, I mean if I really need to access a site that requires a login or similar I need to re-enable cookies, do whatever I needed to do, then block cookies again, but it’s no big deal really.

And it is interesting to see what websites do not even need cookies to function, as well as which websites are so badly constructed that they do not even render anything with cookies blocked. Oh yes, and those websites that throw up a cookie banner but which still work once you are past that, of course with no actual cookies having been set.

As an example, I just visited a well known petition website to add my name. It showed the usual cookie warnings which I ignored and managed to sign the petition with no issues at all. I have an email confirmation so it worked just fine.

This brings me back to my question, should any website need to set any cookies before you enter a part that actually requires them to be set? I still say no.

Categories
Privacy Security Website whinging

Failed circular verification

So, you need access to a Google doc but when you log in Google senses that the PC has not been used before and is suspicious. It needs verification.

Ok, first off, this is not me. I have access to Google etc. And verification is a great idea. But there is a hole and as yet we’ve not found the bottom.

Verification is all very well provide you can actually do what is required. But what where your verification is your works telephone and you did not enter a mobile number, nor do you want to tell Google your mobile number anyway?

Google has ‘other ways’ to verify you. Following this path it sends you a code to an email address. The only email address in use was the works one. The code came but this is not enough. Google still wants to send a text to a phone – it still wants that mobile number you don’t want to put in. This ends up being circular, with another code being emailed and, once again another request for a mobile.

In the end it was quicker to ask the document owner to simply email it rather than trying to reach the bottom of the hole being dug by Google.

Categories
Data protection Internet surveillance Privacy Security

Correcting the panoptic vision

Data retention – those laws requiring providers to retain communications metadata – has come under attack again from the CJEU. After a chain of legislation fell foul to data protection laws over the decades the latest and greatest Investigatory Powers Act is now on very thin ice.

The punchline in Case C‑623/17 was twofold. First, the court determined that “national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security” falls under data protection legislation. And second, it found that the legislation precludes “national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”

Mind you, given the government’s actions of late including enacting legislation which is technically illegal, one wonders what difference it will make. Throwing Brexit into the mix may not actually help Them out here because unless changes are made this will greatly affect the UKs ability to transfer personal data as a third country to the EU. Perhaps Schrems, the destroyer of Safe Harbor and Privacy Shield will turn his attention on the UK!

Categories
Internet surveillance Privacy

US now wants your Facebook details when you visit

Lots of chatter today that the US now requires “nearly all applicants for U.S. visas to submit their social media usernames, previous email addresses and phone numbers”. (1) Essentially it requires visitors to give their social media information, phone numbers and e-mail addresses for the past 5 years.

The BBC carried a bit about this back in 2017 (2) which also stated that critics considered that checking up on these “could lead to extended, fruitless lines of inquiry or the collection of personal information not relevant to security checks”. Well, yeah, and I would need several continuation sheets to fill all my information in over that period.

A quick trawl through the visa waiver website suggests (a) that it is out of date because it does not indicate the requirement is now absolute and (b) clearly they will use this information to check up on you i.e. if your Facebook page marks you out as undesirable you’re out of luck. I did not delve further.

So your social media profile may now exclude you from entry. Of course, no undesirable type is capable of creating a fake Facebook profile are they…

So, is a blog social media? I’d argue not, yet I know this blog is spidered by Google (other spiders are available) regularly!

1 – https://www.cbsnews.com/news/state-department-now-requires-us-visa-applicants-to-share-social-media-accounts-2019-06-01/

2 – https://www.bbc.co.uk/news/technology-40132506

Categories
Privacy

Facebook, WhatsApp, Messenger and Instagram

So, Facebook is planning to integrate WhatsApp, Messenger and Instagram ( https://www.bbc.co.uk/news/technology-47001460 ). Facebook has owned Instagram since 2010 and WhatsApp since 2014, and Messenger was a Facebook original. What could possibly be wrong with that? I mean, everyone would want them to, right? And they do own them.

However, for me it’s not so much about the doing but how it is done. Taking just WhatsApp, it always marketed itself as encrypted end to end (E2EE). This is a great concept in these days of rampant surveillance but at least currently, this is only true where messages stay within WhatsApp.

One of the founders of WhatsApp quit and announced that we should all delete Facebook. Riding on the wave of the Cambridge Analytica scandal this added flames to the already burning fire.

Now we learn of Facebook’s plans to better integrate WhatsApp, Messenger and Instagram, making it easy for users of each to interact with users of any of the apps. Presumably Facebook will be core to this data merging.  But what of E2EE?

Without searching for documentation on exactly how each app works E2EE is supposed to ensure that messages sent are encrypted before sending and not decrypted until receipt. Ok, this works fine in theory and if apps do what they say on the tin it works in practice provided you remain aware of limitations, not least that once a message is decrypted for display then anything that can get at that display can logically get at the decrypted message.

And here’s the thing. If, say, you send a message from WhatsApp to Messenger then unless the keys are shared between the apps the message will need to be decrypted (and possibly re-encrypted) in order to send between these disparate apps. Think of it this way: The sending WhatsApp app encrypts in a way that the receiving WhatsApp app can decrypt and the message is never touched in between. But if there is an exchange that takes a message from WhatsApp and sends to Instagram then unless Instagram can directly decrypt the encrypted WhatsApp message the exchange needs to decrypt the message prior to sending it onwards. This exchange will presumably be buried deep within Facebook and, if so (and bear in mind this is a worse case scenario – I expect these guys have thought this through and will uphold E2EE. And, yes, pigs really do fly) the decrypted text will be accessible to Facebook. This is my worry here. Mind you, when I want to discuss something in private I do use other means…

There are of course issues with E2EE after a message has been received if, say you synchronise to cloud storage. Messages here will not be re-encrypted by the original app as it is no longer playing. They may be encrypted somehow before storage in the cloud but there are no guarantees here and it will depend entirely on the cloud service being used. However, assuming you are security aware and do not send any such messages off to cloud storage, can one really rely on E2EE in any shape or form once apps begin to pass messages between themselves? I doubt it but time will tell. Maybe I’m being too opsec here…

Categories
Privacy Website whinging

Again with the photo ID

I need to collect some building supplies. These were ordered online ‘click and collect’, the emails and associated text comes to my phone, and yet I am told I need to bring photographic ID with me. I wonder if they will accept a photo of my passport photo on my phone… if there’s no queue I may well try that out!

Ok I can see the point, after all I already paid for the supplies and I would be really cross if someone faked my name and grabbed them.

Maybe if there was some government-backed ID other than a passport that can prove I am me… oh, wait.

Categories
Privacy Website whinging

Forcing the ID card debate?

I just caught sight of a document giving instructions to people who are attending an interview and claiming to be under ‘statutory identification rules’ but not giving any reference to them.

Bear in mind that these days we increasingly do everything online and, in some cases it actually now costs to get paper copies of bills when they can be delivered electronically.

First off, the attendee is required to produce either a passport, evidence of UK nationality, or a full driving licence. Af far as I am aware there is no law stating that I must drive or even hold a passport if I don’t travel outside the UK.

Next, two items are required out of a set: bank (etc) statement; credit card statement; original birth or adoption certificate; utility bill or council tax bill but not a mobile phone bill. it would appear that this aims to find out if your address is correct.

Finally you need to provide your National Insurance card or original letter.

So what if you have no passport, no driving licence, and all your bills are electronic? The only winner here is your NI number.

I’ve seen this kind of requirement elsewhere too. It always makes me wonder that either these various departments are so hopelessly out of date with the modern world that they have not yet caught up to the fact that paper bills are rare, or this is a ay to frustrate everyone so much that, if the ID Card debate is ever restarted everyone will accept them willingly!

Categories
Privacy

Facebook woes

Facebook recently hit the headlines due to the Cambridge Analytica event. Along with this came tales of doom and gloom and suggestions that Facebook will lose up to 80% of its members. Of course, news comes and fades, and leaves current memory. People will continue to use Facebook although some small number will close their accounts. And so it goes. Like so many others I’ve always said only put online what you don’t mind the whole world knowing. Anyone sharing nude photos with their partners should take note – a good few celebrities included.

Personally I use Facebook to keep in touch with friends and, as such all my settings are friends-only. I don’t use it to share generally, other of course than where I might click ‘like’ to an open post or share on an open group. To me this is just a part of using Facebook and I do not put anything on there that I would not wish the world to see. Facebook is free and useful and we need to remember that, but also remember to pay attention to those privacy settings and check when Facebook change them.

If I want to have a private conversation I use WhatsApp, Signal or Telegram. If I want it to be really private, well, I go and say it face to face! Yes I hear you, if we want to discuss stuff we should not be spied upon, but we’re in the real world.

Categories
Privacy

Conversational security in smartphones

Can you have a truly private textual conversation where other people have access to your mobile phone?

We have apps that maintain security by end to end encryption – WhatsApp and Signal for example. But the security of your personal data and, in this case perhaps your personal thoughts must start at your finger. In our connected world with apps that log themselves into, for example Facebook, Twitter and such, anyone who has access to your smartphone effectively becomes you. That should be obvious! But the traditional phone was a household appliance that anyone could pick up and use and to some extent the smartphone remains so. Can you imagine the suspicion that would be raised if a wife would not let her husband use her smartphone?

Yes, WhatsApp, Signal and other such apps are easy to use and offer a secure environment but the apps themselves simply open when asked and give access to all the conversations stored in them. Were these to require a keyword or a fingerprint then at least casual non-owner access to one’s smartphone would not yield any private conversations within the apps. Some apps are better thought out. My bank app needs a fingerprint or password, and my password vault is set to work by passwords only. Those passwords are not written down anywhere. This is the basic security that we always implemented before modern smart devices hit the streets.

Of course, there are other issues of even letting someone use your smartphone. I can illustrate one where someone (who will remain nameless!) complained to me that his friend’s fingerprint would open his phone. I headed to Google expecting a news story about a general failure of fingerprint security only to be interrupted when said person updated me – his friend had added his fingerprint when said person lent him their phone to make a call! However, even here password security on apps would still keep private conversations private. And yes, I have made that suggestion to the makers of the apps I use.