Archive

Posts Tagged ‘Google’

Google amends its Terms of Service

April 16, 2014 Leave a comment

google logoWith most privacy laws you can pretty much do what you want provided you are up front about it. The key is the ‘informed consent’ of the user.

Google has been getting grief from legislators who claim that the complexity of its privacy policies make it impossible for users to be informed, and difficult for them to opt out if they do not consent.

One continuing argument is over Google’s scanning of email content in order to provide targeted advertising to Gmail users. The nub of the argument is that claimants say they have not given consent to this scanning while Google’s response is that consent is implied by use.

Now Google has made its practices explicit with a Monday addition to its terms of service. It has added a new paragraph:

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.
Google Terms of Service

I think Google was correct in reality if not legality when it claimed that consent was implicit in use — most if not all users are perfectly aware that email content is scanned electronically. The new paragraph makes this explicit: informed consent is now given by use of Google services.

What I still find interesting is that this consent is said to apply to received emails. If a non-Google user sends me a message, how is that user giving consent for the message to be scanned by Google? Is it realistic for non-Gmail users to read Google’s terms of service before emailing a Google user?

I don’t believe it is. So who owns the content: the sender or receiver? Copyright would suggest it is the sender — in which case this amendment to the terms of service will go some way, but not all the way, towards solving Google’s privacy issues.

Categories: All, Security Issues

New Android flaw could send you to a phishing site

April 14, 2014 Leave a comment

Last week news of the Heartbleed bug broke. Initial concern concentrated on the big service providers and whether they were bleeding their users’ credentials, but attention soon turned to client devices, and in particular Android. Google said only one version of Android was vulnerable (4.11 Jelly Bean); but it’s the one that is used on more than one-third of all Android devices.

The problem is, Android simply won’t be patched as fast as the big providers. Google itself is good at patching; but Android is fragmented across multiple manufacturers who are themselves responsible for patching their users – and historically, they are not so good. It prompted ZDNet to write yesterday,

The Heartbleed scenario does raise the question of the speed of patching and upgrading on Android. Take for instance, the example of the Samsung Galaxy S4, released this time last year, it has taken nine months from the July 2013 release of Jelly Bean 4.3 for devices on Australia’s Vodafone network to receive the update, it took a week for Nexus devices to receive the update.
Heartboned: Why Google needs to reclaim Android updates

Today we get further evidence of the need for Google to take control of Android updating – information from FireEye on a new and very dangerous Android flaw. In a nutshell, a malicious app can manipulate other icons.

FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user. Google has acknowledged this issue and released the patch to its OEM partners.
Occupy Your Icons Silently on Android

The danger, however, is this can be done without any warning. Android only notifies users when an app requires ‘dangerous’ permissions. This flaw, however, makes use of normal permissions; and Android does not warn on normal permissions. The effect is that an apparently benign app can have dangerous consequences.

FireEye's POC test app does not display any warning to the user

FireEye’s POC test app does not display any warning to the user

As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website. We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. (Note: The testing website was brought down quickly and nobody else ever connected to it.) Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it. (Note: We have removed the app from Google Play quickly and nobody else downloaded this app.)

Google has already released a patch for Android, and Nexus users will soon be safe. But others? “Many android vendors were slow to adopt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users,” urges FireEye.

Categories: All, Security Issues

Don’t let the government or the tech giants fool you into thinking anything is changing

April 1, 2014 Leave a comment

When Bruce Schneier left the employ of BT, he finally got off the pot. His natural inclinations can now be seen. He still hasn’t criticised BT despite it being obvious that BT is no more innocent than any of the big American telecoms companies — but he told me (by email) at the time that he tried to avoid getting involved in foreign politics.

Bruce Schneier: photo by Doug Logan

Bruce Schneier — the ex-BT, anti-surveillance privacy guru

He hasn’t been 100% consistent in this. When Swedish journalists discovered Swedish involvement in the MITM NSA/GCHQ hacking program known as Quantum, he said, “Both Quantum and FoxAcid are NSA/GCHQ programs to attack computer users. The fact that Sweden is involved in these programs means that Sweden is involved in active attacks against internet users. It is not just passive monitoring. This is an active attack.”

One day we may yet hear what he knows about BT’s cooperation with GCHQ (Tempora et al).

In the meantime, he is now no longer backward in commenting on surveillance in general and the NSA in particular. An article in The Atlantic last week warns us not to listen uncritically to the protestations of either the NSA or the tech giants that now appear to be up in arms against this NSA hacking and surveillance.

The tech giants (Google, Facebook, Yahoo, Microsoft etcetera) all claim to be doing what they can to prevent further snooping. But they are not doing the one thing that would work — they are not encrypting user data on servers in a way that would be impossible for governments to demand the keys. And the reason they are not doing this is simply because the vendors and the governments both want the same thing — to be able to read our data.

The best we have are caveat-laden pseudo-assurances. At SXSW earlier this month, CEO Eric Schmidt tried to reassure the audience by saying that he was “pretty sure that information within Google is now safe from any government’s prying eyes.” A more accurate statement might be, “Your data is safe from governments, except for the ways we don’t know about and the ways we cannot tell you about. And, of course, we still have complete access to it all, and can sell it at will to whomever we want.”
Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong

The reality is that for so long as the vendors want access to our data, the governments will be able to demand it. Neither of that is changing; although both sides are trying to pretend it is.

Categories: All, Politics, Security Issues

If it’s not outright lies, it is downright deceit: the NHS and patient data

March 23, 2014 Leave a comment

I had to visit the hospital the other day. I’m not going to say why, because that’s private, personal and confidential. Suffice it to say that the condition isn’t one that I wouldn’t tell my mother; but it is one that I’d prefer potential employers and insurers know nothing about unless I tell them (it’s probably nothing anyway). I would most certainly not want the pharmaceutical industry to know — the drugs they offer make the (possible) condition much worse, and introduce new ones.

But I don’t need to worry, do I? At the bottom of the hospital appointment letter, in bold type, is the statement:

All personal information about you is kept confidential at all times and is only shared when necessary to support your care and treatment. If we want to use your information for any other purpose, with the exception of when the law requires us to do so, we will talk with you and obtain your consent. If you have any concerns regarding this, please talk to the person providing your care and treatment.
(see grammatical note at the end of this post)

But that’s a lie. While the government wants to start centralizing our GP records in the autumn, it is already doing so with HES (Hospital Episode Statistics). These are already held by the Health and Social Care Information Centre (HSCIC) which is where all of the records will eventually be held. According to the HSCIC website,

HES is a data warehouse containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England.

This data is collected during a patient’s time at hospital and is submitted to allow hospitals to be paid for the care they deliver. HES data is designed to enable secondary use, that is use for non-clinical purposes, of this administrative data.

It is a records-based system that covers all NHS trusts in England, including acute hospitals, primary care trusts and mental health trusts. HES information is stored as a large collection of separate records – one for each period of care – in a secure data warehouse.

We apply a strict statistical disclosure control in accordance with the HES protocol, to all published HES data. This suppresses small numbers to stop people identifying themselves and others, to ensure that patient confidentiality is maintained.

Compare the two statements. It is perfectly clear that the hospital is lying. But the reality is, so is HSCIC.

Back in 2012, the marketing firm PA Consulting bought a copy of the HES data.

So we bought the data and installed it (with certain security restrictions) on our own hardware… [But querying the data took too long.] The alternative was to upload it to the cloud using tools such as Google Storage and use BigQuery to extract data from it… Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds.

(That document seems to have been removed from the PA site, or hidden away. Anyway, I can no longer find it, and have to rely on the copy I have. It seems to have been replaced by a press statement from PA here and another from HSCIC here in a coordinated release. Neither of these should satisfy any patient.)

Ask yourself this: how can maps be produced without location data? What is location data if it is not personal identification information? How can data be transferred to a third-party (Google cloud) and stay within the Data Protection Act. Remember that several different data protection regulators in various parts of Europe, including our own, have challenged Google over its privacy policy — and several have already fined Google the maximum possible for being in breach of European data protection laws.

The HES data sold by the government is pseudonymised — but still includes postcode and age (PA denies that it received DOB or address, but doesn’t specify whether that included ‘age’ and ‘postcode’). In other words, standard HES data specifies very clearly exactly who 98% of the patients actually are and where they live.

And then there’s Beacon Dodsworth, a firm that “provides geographical information system (GIS) mapping software and marketing technology to clients in a wide range of industries” including Estee Lauder, Trinity Mirror Group and Boots. It says

Hospital Episode Statistics (HES) have now been integrated with our P2 People & Places people classification thanks to some hard work from our clever developers.

This means you can now better understand the health needs of local communities and populations and identify trends and patterns in order to target health improvement more effectively.
http://www.beacon-dodsworth.co.uk/site/data/hospital-episode-statistics

So we seem to have a system that quite readily sells our hospital records to any marketing company that will pay for them, and then allows those marketing firms to advertise the ability to target us on the basis of our health. And at the same time, the NHS itself tells us something completely different: that the data is only seen by those involved in our treatment.

Now Ross Anderson, chair at the Foundation for Information Policy Research; Phil Booth, coordinator at medConfidential; and Nick Pickles, director at Big Brother Watch, have all filed a complaint with the ICO requesting that the issue be examined in relation to the Data Protection Act.

It will be interesting to see how the ICO can reconcile what to everyone else is a clear but hidden breach of confidential patient data — and the Data Protection Act — with this government’s desire to sell and share everything about us to anyone willing to pay for it, irrespective of our own wishes. Because the one thing we can be very sure about in all of this is that the ICO will do all he can to avoid doing anything at all.

grammatical note
The first sentence is a complete statement. The second sentence is also a complete sentence. There is nothing in the second sentence to indicate that it qualifies the first sentence. There is nothing in these two sentences from which a reasonable patient could infer that it really means, “We will not share your personal data with anyone other than the centralised government database operated by HSCIC, with whom we will always provide all of your details all of the time, and over which we have not the slightest control nor responsibility for your personal data.

Categories: All, Politics, Security Issues

The UK government is simply lying about data protection reform

March 1, 2014 Leave a comment

This coming week the European Justice and Home Affairs Council (ie, national ministers from the individual national governments) will meet in Brussels. There are several items on the agenda.

Top of the list in a memo released by Viviane Redding is reform of the data protection laws. She says,

I am confident we will be able to build on the momentum injected into the negotiations by the Greek Presidency at the last informal Council meeting in January. Seeing the latest progress, I will continue working with Ministers for an adoption of the data protection reform before the end of this year.

Bottom of the list in a ministerial statement from Theresa May is reform of the data protection laws. She says,

There will be a state of play/orientation debate on the Proposal for a General data Protection Regulation. The UK continues to believe that this proposal is far from ready for a general agreement, and that no such agreement can occur until the text as a whole has been approved. The proposal remains burdensome on both public and private sector organisations and the Government would not want to see inflexible rules on transfers outside the European Economic Area which do not reflect the realities of the modern, interconnected world.

And yes, they really are talking about the same thing. Most of Europe has already agreed the data protection reform proposals; but the UK doesn’t like it and won’t play.

The problem is, providing more protection for our personal information is difficult for the UK. It would upset the three most powerful organizations in the country: GCHQ, Google and Facebook. GCHQ would have its ability to collect our private messages, photos, home videos and internet browsing habits severely curtailed — and of course nobody would want to see that.

Google and Facebook would no longer be able to ship our personal information to servers outside of the UK; that is, the US, from where the NSA/FBI could demand access while declining to allow us to be told (assuming they need to since GCHQ will probably have already intercepted the data via its taps on the fibre cables that run between the two continents and simply handed it en masse to the NSA for storage and safe keeping).

Since these negative arguments would not prove popular to the British public, they are being hidden in spurious and frankly false claims that data protection will cost business. Yes there will be some cost in protecting our data (not nearly as much as the government would like us to believe); but that will be more than compensated by the lower cost of doing business with dozens of different data protection regimes. The net effect of reforming data protection will be greater data protection at a lower overall cost.

But Theresa May doesn’t want us to understand that. She and David Cameron would like us to believe that they are protecting us when they are really just protecting vested interests and actually selling us down the river. They are willing to trade our privacy to keep GCHQ and big American business happy.

Categories: All, Politics

This will upset Google far more than the €150,000 fine…

February 12, 2014 Leave a comment

The home page for Google France from a few days ago. It’s been removed now; but just in case anyone missed it…

spacer

google France

Categories: All, Politics, Security Issues

What is the UK government doing in embedding Google Analytics into confidential government websites?

February 4, 2014 Leave a comment

Perhaps the biggest news today is that the NHS has been redirecting its web visitors to a site hosting malware. It’s OK, though, because the NHS hasn’t been hacked – it managed to endanger its users without any outside help from the bad guys.

The problem was a typo. One of its own developers input googleaspis.com instead of googleapis.com. A bad guy found this before the NHS found it. He registered googleaspis.com and simply waited while the NHS thoughtfully sent its visitors along to be infected – and nobody knows how many may have been.

Typo found… problem solved… nothing to see here… move along please…

But it’s not a problem solved; it’s a problem found – and most of the press reports have missed it. Infosecurity Magazine (NHS Website Not Hacked, Just Exploited) did not miss it. The problem is this: what is the NHS doing using googleapis.com at all? The practice is, according to privacy expert Alexander Hanff, illegal under the EU’s ePrivacy directive.

Alex told me more. The law in question is specifically article 5.3 of the ePrivacy directive and the Privacy and Electronic Communications Regulations (PECR) – better known as the ‘cookie law’; and the biggest culprit is the UK’s own privacy regulator, the Information Commissioner’s Office. “The problem is,” Alex told me, “the ICO refuses to enforce PECR on the issue of 5.3 of the ePrivacy Directive (aka, the cookie law), despite the fact that ICO itself stated that the use of third-party analytics does not meet the requirement of strict necessity. This was before it did a complete 180 after Google reached a deal with the Department for Culture, Media & Sport (DCMS).”

Alex set about discovering more, and used the Freedom of Information Act to get to the bottom of why the ICO had changed its standpoint. If your blood pressure will take it, it is worth reading Who Regulates the Regulator? But be warned, you will indeed find that bureaucratic boilerplate:

Having considered all of these factors we have taken the decision that the public interest in withholding the information outweighs the public interest in disclosing it. Therefore in this instance we are unable to provide you with the correspondence in question.

To Alex, this just smacks of corruption. “The perpetual threesome between Big Data, ICO and the UK Government is an orgy of corruption which flies in the face of European Regulation and is one of the most significant illustrations of why the ICO should be disbanded and replaced with a regulator that is truly detached from government and industry.”

This is not actually an extreme position. Last week European justice commissioner Viviane Reding highlighted some of the things she would like to change, including to ‘correct’ the situation in Germany, where the minister of the interior can take disciplinary action against the data protection commissioner. “Is effective supervision really possible under these circumstances?” she asked.

Clearly the actual independence of the UK’s ICO from the UK government can also be questioned – and perhaps we should all hope that the Eye of Reding turns towards the UK. But in the meantime, I repeat my earlier question: What is the UK government doing in embedding Google Analytics into confidential government websites?

Categories: All, Politics, Security Issues

Google, thy name is hypocrite

January 25, 2014 Leave a comment

Do no evil is best known today as a Google reference; but it occurs earlier in the Bible (2 Corinthians 13:7 King James):

Now I pray to God that ye do no evil; not that we should appear approved, but that ye should do that which is honest, though we be as reprobates.

Do as you would be done by is an immediately recognisable biblical reference (Matthew 7:12 King James):

Therefore all things whatsoever ye would that men should do to you, do ye even so to them: for this is the law and the prophets.

Google has claimed the former, but ignores the latter.

It recently removed two extensions from its Chrome webstore: Add to Feedly and Tweet this Page. This was a good thing. Although the extensions originally did what’s described on the tin, they had been bought by advertising companies of the worst sort. Those advertising companies subsequently slipped in, via automatic updates, adware engines.

Automatic updates are a double-edged sword. In the hands of a supplier you trust they can be a tremendous boon — security patches and software improvements just happen. But in the hands of a dubious firm, automatic updates are a troublesome problem. They can, and in the case of these two extensions, did covertly install all manner of things.

To get round the problem Google has changed its terms of service. In future, extensions will need to be clearly defined — the new terms state that extensions must have “a single purpose,” and be “narrow and easy-to-understand”. Adding a new function secretly, such as adware, clearly breaches these rules.

Google invoked these rules to remove the extensions. In general, however, the company says the new terms won’t be enforced widely until the summer. That implies there will then be some form of enforcement methodology — extension auditing, for example.

Again, this is a good thing. Google is saying that its users should know what the software they use actually does, and it should be easily understood, and their privacy should not be abused.

Which is more or less what the European Union is saying to Google itself. Two European data protection regulators (France and Spain) have already fined the company the maximum possible for breaking privacy laws. Four others (Germany, Italy, The Netherlands and the UK) have agreed that the privacy laws have been broken. Germany, Italy and The Netherlands are expected to levy fines. The UK is more likely to discover some weasel way to avoid fining Google (because of the UK’s traditional thrall to big business), but nevertheless holds Google in breach of the law.

The issue is Google’s privacy policy. It is deemed to be confusing, obscure, and lacking in the means for users to understand or control Google’s use of their personal data. In other words, it is neither of a single purpose nor simple and easy to understand. “Google spins an invisible web of our personal data, without our consent. And that is forbidden by law,” says Jacob Kohnstamm, chairman of the Dutch Data Protection Authority.

Google is doing unto Europe what it won’t allow its app providers to do unto Google: confuse, break the rules and dissemble. It is clearly hoping and expecting that its sheer size will prevent Europe smacking it in the same way it smacked those that disobeyed its own rules. Here’s hoping…

Categories: All, Security Issues

Randy Abrams bids farewell to Google+

January 10, 2014 Leave a comment

Yesterday Google announced a new feature in Gmail: it integrates with Google+. Gmail will now supply the address of anyone you follow even if you don’t have, and that person has never provided, the relevant email address.

There are obvious privacy issues here. But it’s not as simple as that and there are easy opt-outs. Nevertheless, you can see how some people might be concerned. Randy Abrams is one such person. In fact, he’s so concerned, he’s dumping G+.

spacer

Abramsbyebye

spacer

Is it just me? “I’m leaving G+ because of the way they treat their users. You can find me over at Facebook…” Does nobody else find that just a wee bit, well, strange…?

Categories: All, Security Issues

British government and Google both use ‘filtering’ as a pretext for censorship

January 5, 2014 Leave a comment

On Friday Laurie Penny wrote a piece in the Guardian’s Comment is Free: David Cameron’s internet porn filter is the start of censorship creep. The gist is that under the guise of protecting children, Cameron’s government is intent on controlling adults.

For example, she wrote:

The category of “obscene content”, for instance, which is blocked even on the lowest setting of BT’s opt-in filtering system, covers “sites with information about illegal manipulation of electronic devices [and] distribution of software” – in other words, filesharing and music downloads, debate over which has been going on in parliament for years. It looks as if that debate has just been bypassed entirely, by way of scare stories about five-year-olds and fisting videos. Whatever your opinion on downloading music and cartoons for free, doing so is neither obscene nor pornographic.

But we should not be surprised. Filtering has always been used as a disguise for censorship – and not just by governments. For example, I recently emailed Alexander Hanff, a well-known privacy expert and advocate, for his views on the GDPR (specifically for an article I was writing at the time). He replied, but with this surprising comment:

hanff1

‘Nothing to do with me, guv,’ I quickly replied. Well, he looked into it, and to cut a long story short (you can read the full version on his blog: Gmail scanning becomes censorship), he came to the conclusion that Google is effectively using ‘privacy’ as a trip for its spam block.

Alexander gives several reasons why this email could not be considered spam by any half-decent filter: it was clearly a reply; it included his PGP key; and it included both a delivery and a read receipt. His conclusion:

What makes this even more ironic, is the email content was all about an EU Regulation of which Google would be one of the corporations it impacts most – an email about privacy, scanned by a filter which goes against privacy and run by a company that has declared war on privacy because this single, fundamental right interferes with their illegitimate and unethical revenue model.

Alexander’s conclusion is that this was incompetence, ironic incompetence, bordering on censorship. But it’s a fine line – and personally, I’m not so sure. Google’s filters are essential to its business model. It cannot afford to get them wrong. And its revenue record demonstrates that it doesn’t get it far wrong. A little tweak here, and a little tweak there, and Cameron’s ability to censor anything he wants becomes a simple reality.

And as far as I can see, Google is already testing out its model. In this instance it was an inoffensive email to a journalist about the GDPR. But filtering and blocking emails to journalists is a worrying trend with worrying potential.

Categories: All, Politics, Security Issues
Follow

Get every new post delivered to your Inbox.

Join 128 other followers