Email sent to: website-exclusion@webwise.com

Date / Time: 28 April 2009 / 7.18pm UK Time

Subject: Website Exclusion Request: e-ignite.co.uk [An open letter]

Content: To whom it may concern,

I own and operate the domain e-ignite.co.uk and all subdomains under this domain.  I wish this website and all its subdomains to be excluded from Webwise / Phorm for the benefit of the privacy of all visitors to the site.  I fundamentally disagree with the Webwise tracking practices and I also disagree with the policy that website owners have to specifically opt-out via email – a Webwise / Phorm specific entry in robots.txt should be respected.

Regards.

If you own your owh website, the Phorm / Webwise system will automatically track your visitors and serve up behavioural advertising on the basis of the content on sites the users have been browsing.  Unlike reputable search engines and other robots (such as Google, Yahoo etc), Phorm / Webwise does not respect a command to specifically disallow the bot from indexing your pages unless you disallow all bots (including search engines etc – basically, this would remove your website from the likes of Google).  This is unacceptable and is extremely poor practice, and you therefore have to send an email to the above email address to de-list your site from the Phorm / Webwise tracking.  I have included this open letter to the makers of Phorm / Webwise in an effort to reassure visitors that e-ignite does in fact take privacy seriously and to make it publicly clear that we do not agree with the practices of tracking web users activity.

From a practical point of view, this means that ISPs have to store masses of data – bear in mind that this is all emails received, so this will include the details of tens of millions of spam messages sent each day in addition to legitimate emails. The UK Government are also going to have to pay the ISPs to record this information, with cost estimates ranging between £25 Million and £70 Million. With these costs in mind, perhaps it won’t be long before the government compiles all the email records into one central database – this is a real concern, not least because of the many highly publicised data breaches but for your privacy. The director of human rights group “Liberty” stated that you have a human right to privacy, and this right should be protected. It is very difficult to regain privacy after it has been removed.

So how would you feel knowing that details of every single email you sent or received had been recorded and monitored? Is this the kind of thing that should happen in a free and democratic society? Or do you find this sinister and of great concern?

We’ve seen the function creep of technologies like this already – for example, average speed cameras that use number plate recognition to catch those speeding were installed under the promise that they would only ever be used for the purposes of speed control. Now though, we see that they are used to track movements of “terrorists” or “serious criminals”. With a database of all calls made and received, will the function eventually creep so that your exact location is logged every fifteen minutes or so when your mobile phone “checks in” with the network? Email on the move is also susceptible to this form of tracking – the IP address that sends the email could be tracked and in the future, why would they not start logging all the websites you’ve visited recently?

It really is frightening to think that this form of culture has become acceptable and that people simply “don’t care” that their privacy is being taken away from them. As the BBC News story reports, Britain is in danger of “sleep-walking into a surveillance society” – some may argue it is there already.

With several major data protection breaches being widely publicised in the media of late, how can the government justify trying to record more and more information if they can’t protect it properly? Should data such as this be leaked into the wrong hands, the consequences could be dire – imagine people’s movements and communications being tracked and used against them in blackmail or extortion. It may seem like an extreme reaction to an issue that, to some, may seem fairly minor. However, it is important to think of the possible consequences of such a move and decide if it will be a minor issue in the long run.

Minor? Personally, I think not.

From the article:

National Intelligence Director Mike McConnell is drawing up plans for cyberspace spying that would make the current debate on warrantless wiretaps look like a “walk in the park,” according to an interview published in the New Yorker’s print edition today.

McConnell is developing a Cyber-Security Policy, still in the draft stage, which will closely police Internet activity.

“Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the autority to examine the content of any e-mail, file transfer or Web search,” author Lawrence Wright pens.

“Google has records that could help in a cyber-investigation, he said,” Wright adds. “Giorgio warned me, ‘We have a saying in this business: ‘Privacy and security are a zero-sum game.’”

A zero-sum game is one in which gains by one side come at the expense of the other. In other words — McConnell’s aide believes greater security can only come at privacy’s expense.

Please read the whole article on the Raw Story website and some user’s comments about the story on Slashdot to see how this may affect you. Personally, I find this frightening – the laws of the United States shouldn’t affect me directly, but if the US administration decides that privacy is no longer important and their “crime prevention” methods of monitoring every email they wish go though, you, me and virtually everyone globally will be affected directly with little we can do.

Perhaps it’s time you thought about encryption…

The report can be found here on the Privacy International website and I’d recommend you take a look and see how your own country got on.

Here’s a summary of the report’s main findings for the United Kingdom:

• World leading surveillance schemes
• Lack of accountability and data breach disclosure law
• Commissioner has few powers
• Interception of communications is authorised by politician, evidence not used in court, and oversight is by commissioner who reports only once a year upon reviewing a subset of applications
• Hundreds of thousands of requests from government agencies to telecommunications providers for traffic data
• Data retention scheme took a significant step forward with the quiet changes based on EU law
• Plans are emerging regarding surveillance of communications networks for the protection of copyrighted content
• Despite data breaches, ‘joined-up government’ initiatives continue
• Identity scheme still planned to be the most invasive in the world, highly centralised and biometrics-driven; plan to issue all foreigners with cards in 2008 are continuing
• E-borders plans include increased data collection on travellers

It’s particularly interesting to note that the UK has been divided into two “regions” – the main part of the report on the UK refers to England and Wales, and this got the rating of Endemic Surveillance Society”. The section referring to Scotland gave a lower rating of “Systematic failure to uphold safeguards” and the following comments were made:

• Inherited constitutional and statutory protections from UK Government and only some of the policies
• National policies are not judged, e.g. Communications surveillance, border and trans-border issues
• Stronger protections on civil liberties
• DNA database is not as open to abuse as policy in England and Wales
• Identity policy is showing possibility of avoiding mistakes of UK Government
• Scottish government appears more responsive and open to informed debate than local governments in England

This segmentation of the report for the UK was not done in previous reports by Privacy International, although it shows that some improvements or differences have actually been achieved by the devolution of Scotland’s parliament.

Of interest to some readers is the following summary for the United States of America:

• No right to privacy in constitution, though search and seizure protections exist in 4th Amendment; case law on government searches has considered new technology
• No comprehensive privacy law, many sectoral laws; though tort of privacy
• FTC continues to give inadequate attention to privacy issues, though issued self-regulating privacy guidelines on advertising in 2007
• State-level data breach legislation has proven to be useful in identifying faults in security
• REAL-ID and biometric identification programs continue to spread without adequate oversight, research, and funding structures
• Extensive data-sharing programs across federal government and with private sector
• Spreading use of CCTV
• Congress approved presidential program of spying on foreign communications over U.S. networks, e.g. Gmail, Hotmail, etc.; and now considering immunity for telephone companies, while government claims secrecy, thus barring any legal action
• No data retention law as yet, but equally no data protection law
• World leading in border surveillance, mandating trans-border data flows
• Weak protections of financial and medical privacy; plans spread for ‘rings of steel’ around cities to monitor movements of individuals
• Democratic safeguards tend to be strong but new Congress and political dynamics show that immigration and terrorism continue to leave politicians scared and without principle
• Lack of action on data breach legislation on the federal level while REAL-ID is still compelled upon states has shown that states can make informed decisions
• Recent news regarding FBI biometric database raises particular concerns as this could lead to the largest database of biometrics around the world that is not protected by strong privacy law

The report does not make comfortable reading when you consider this is a documented erosion of privacy worldwide. With only one country (Slovenia) out of all those reported upon whose privacy safeguards are actually improving, it is distressing to think that all others are either staying the same or deteriorating.

My advice would be to read the report and think about how this may affect you. You could make small changes such as taking steps to communicate securely, or you may let these issues affect the way you vote in various elections. Either way, don’t just ignore it – be aware and be informed.

It’s official: You have no right to the expectation of privacy when your computer is in for repair.

A recent Slashdot article told the story of a man from Pennsylvania who had his computer in for repair (a repair to the DVD burner of his PC). When the computer was in for the repair, technicians found illegal pornography on his hard disk, and he was reported to and arrested by the police. When it went to court, he successfully argued that the technicians had no right to be accessing data on his hard drive, but this decision was later overturned by a prosecution appeal.

In no conceivable way do I support his actions relating to the illegal material found on his computer, and I believe that people who make and access this material deserve to be prosecuted to the full extent of the law.

The fact the the material in question was found on the computer, however, highlighted the issue: do you or can you trust computer technicians with your data when your computer is in for repair?

Realistically, the computer technicians shouldn’t be rummaging through hard drives of people whose computers are in for repair – in the example case shown in the Slashdot story, the person’s DVD drive was being repaired – this could have been replaced or fixed without the need for the technicians to even turn on this person’s computer. So why did they hunt around on the hard disk? What were they looking for? And do they do it with every computer they are trusted to repair?

In this case, it’s difficult to show any sympathy with the man because of the nature of the material he was caught with, and realistically he was a criminal and deserved to be caught. But what if it was your computer and your data? Even if you had simple things like emails, invoices or financial information somewhere on your hard disk – would you be happy knowing that this was being looked at by others? Unfortunately, this is also a problem if equipment is ever lost or stolen, and anyone can access your private information – it could even be used as part of identity theft or phishing scams after it got into the wrong hands, so all I’m suggesting is that you think about your data. What is private and what should you be protecting?

Due to a large number of personal emails, online receipts and financial data held on my computer, I use truecrypt to secure my data. Perhaps file encryption is something you will consider before you next entrust your computer to an unsupervised stranger.

The full story can be read at Wired.com, but I’ve summarised the main points in the quotes below:

“A federal appeals court on Monday issued a landmark decision that holds that e-mail has similar constitutional privacy protections as telephone communications, meaning that federal investigators who search and seize emails without obtaining probable cause warrants will now have to do so.”

“The case boiled down to a Fourth Amendment argument, in which Warshak contended that the government overstepped its constitutional reach when it demanded e-mail records from his internet service providers. Under the 1986 federal Stored Communications Act (SCA), the government has regularly obtained e-mail from third parties without getting warrants and without letting targets of an investigation know (ergo, no opportunity to contest).”

“The appellate court affirmed the lower court’s decision, agreeing that e-mail users have a reasonable expectation of privacy, regardless of how old their correspondence is and where it is stored.”

Below is a direct quote from the court’s ruling:

“In considering the factors for a preliminary injunction, the district court reasoned that e-mails held by an ISP were roughly analogous to sealed letters, in which the sender maintains an expectation of privacy. This privacy interest requires that law enforcement officials warrant, based on a showing of probable cause, as a prerequisite to a search of the e-mails.”

In terms of privacy for users and legislation for those who uphold the law, this decision is a major step forward in the US at least. It would be interesting to find out what implications this will have for international users operating their email services on American service providers – for example, Gmail, Hotmail etc. Will international law enforcement agencies need to produce warrants to gain access to the emails stored on servers in the US?

A bit of history: the Hymn Project is one of the oldest methods for users to remove the copy protection from songs legally purchased through iTunes (prior to version 7). This has been heralded as a “consumer champion” since it allows users to play their purchased songs on whatever equipment they like. Legalities aside, it is widely used and liked by many users. One of the key points in the Hymn Project, however, is that it removes the copy protection, but retains all the purchaser’s details on the track tags. The removal of the purchaser’s details was possible according to the Hymn site, but they saw no justification to do so.  The makers of Hymn rightly state that they do not condone piracy, they are simply exercising their rights to use their legally purchased content how they see fit without being guilty of piracy.

Now, with iTunes Plus offering DRM free downloads, several sites feature complaints that this “hidden user information” is a major breach of privacy. I don’t think so.

The user information is held within what is essentially an editable tag – these tags are found on most audio files such as mp3 and hold information such as track title, artist and album. As far as I can tell, the purpose of placing the user information in the tags is to act as a deterrent for users to share their files, and this is absolutely understandable. They do not limit the way the files can be legally used in any way, nor are they exploitable in terms of privacy unless users give access to the files to other parties. If a user really wants to remove the personal information from the purchased iTunes files, I would find it very difficult to believe that it wasn’t possible, or even if it was difficult.

The right to privacy is just that: it is defined as “the state of being free from intrusion or disturbance in one’s private life or affairs” - it is not an excuse for breaching copyright or breaking the law. When you purchase songs online, you purchase the right to listen to them as you please in the manner you wish – the removal of DRM from some tracks on iTunes simply extends the list of devices on which you can use the files you have purchased. Removing DRM makes sharing files possible, but it does not make it legal. I’m afraid that any claims of privacy breaches as a result of embedded personal details gain no sympathy from me (a self-admitted privacy advocate). In cases where “privacy” is used as a blatant excuse for law breaking, it reduces sympathy for the cause and degrades public and legal support for true and justified privacy. News stories such as this are, in my opinion, counter-productive.

So are Apple free from blame? No, not really. It perhaps should have been made clear from the beginning that DRM Free tracks would still contain personal details in the tags – this was no surprise to me since I expected it, although I can understand if people were expecting tracks as if ripped directly from a CD with nothing more than the required track tagging.

Is it a problem? Does it warrant protest? Are Apple or EMI in the wrong because of this? I don’t believe so.

Google have now announced that they will only retain this data for between 18 and 24 months before discarding it and making the historical data anonymous.  According to a Google spokesperson:

“By anonymising our server logs after 18 to 24 months, we think we’re striking the right balance between two goals: continuing to improve Google’s services for you, while providing more transparency and certainty about our retention practices”

The only time Google will be holding onto user data for longer than the published time is if it’s legally required to do so by a law enforcement agency.  Now, as a web-user who takes privacy issues quite seriously, I think this is an extremely large step in the correct direction.  Not because the data is retained generally, but because Google seem to have widely publicised exactly what they will do with their search data.  It will now be far clearer to users of the search engine what data is kept when they use the service and for how long.  I personally believe that this is the most important step – by releasing this information, it is up to the users to decide what they do and don’t us, and it is up to them to decide how much of their privacy they are willing to sacrifice when using a website.

You can read the full article on Slashdot and make up your own mind. However, the gaining momentum of the anti-privacy movement is becoming alarming.