Windows Phone - Not Ready Yet.

I was lucky enough to be given a Lumia 900 by Nokia and I have to admit, I do like the device and I do like the Windows Phone UI - but there are a significant number of problems which need to be addressed.

Firstly, early adopters of the Windows Phone platform have been hung out to dry by Microsoft - 1st generation devices will not be issued with an upgrade to Windows Phone 8, which when you consider those who purchased these devices (as opposed to carrier subsidised devices) paid upwards of £450 for the Lumia 900 and slightly less for the 800, to then be told 8 months later that they will not receive an update for the new version of the Operating System, is very disappointing.  Early adopters cannot be blamed for being very angry at Microsoft for this - there should at least be some form of reasonable trade-in available so early adopters can recover some of the costs whilst still making an upgrade to Windows Phone 8, especially in light of the announcement by Microsoft that Windows Phone 8 will be officially supported for a minimum of 18 months (which just rubs even more salt in the wounds of the early adopters left with Windows Phone 7 devices).

Now to the serious issues with the OS which to my knowledge have still not been addressed in Windows Phone 8.

Network Time Protocol (NTP)
Many Windows Phone 7 devices (particularly Nokia Lumias) suffer from time loss issues.  My Lumia 900 for example, loses several minutes every month, which is incredibly annoying and makes syncing up meetings and conference calls with my Calendar less that satisfactory as I will generally be late if I do so.  There is no way to sync Windows Phone 7 (and as far as I know Windows Phone 8) with a network time server - such a simple fix to implement, but never addressed by Microsoft.

Password Protected Office Files
It is nice to have Office on my phone, but it is useless if I cannot open password protected Office documents.  Given the inclusion of SkyDrive with Windows Phone, it seems to be incomprehensible that Windows Phone does not support opening password protected Office files because anyone who is storing files in the Cloud (SkyDrive) without encryption or password protection, is a fool - especially if said files are business related.

I understand that some of the encryption woes have been addressed in Windows Phone 8 but as far as I know there is no way to fully encrypt the userspace with either version 7 or version 8 of the Operating System - this leaves your contacts, calendar, SMS, email, social network messages and notifications etc. all unprotected - something I take issue with.

Virtual Private Network (VPN)
Windows Phone 7 (and as far as I am aware, Windows Phone 8) has no means of connecting to a VPN.  In the current world where telco's are using Deep Packet Inspection (DPI) to sniff everything you do on their network for the purpose of ToS enforcement or Behavioural Profiling/Advertising, the ability to encrypt all your communications is not just a feature, it is essential - especially on a device used for business communications.  The DPI use is not limited to mobile networks either, the vast majority of free WiFi services across the world are employing the same sniffing technology to inject behavioural ads into the content you view via their networks - that means your emails, the web pages you visit, your online chats or any other Internet Protocol (IP) communication which is not encrypted is being spied on by countless third parties.

Location Tracking
Every single app I have installed on Windows Phone requires me to consent to Location Tracking (literally every single app - it is almost as though it is a default) even though I have disabled location tracking in the OS.  This is a massive privacy issue and one which as a privacy professional, makes me particularly angry.  There is no excuse for it, just stop doing it.  If you develop Windows Phone Apps stop asking for permission to things you do not need - the vast majority of apps do not need location tracking and if your ad partner requires location tell them to either provide an option without location tracking, or find another ad partner.  If you refuse to grant location tracking on these apps, they will not install - it is wholly unacceptable.

So, just a few reasons why I am at odds with Windows Phone - all important, all serious and all indications that the platform simply is not yet ready - especially for business use.  That said, neither are Android or iOS which both have their own very serious security and privacy issues - does this mean the only option is RIM?  I have never used or reviewed a Blackberry so I honestly can't comment - although I do have a dozen or so friends who work for RIM and swear by them - what do you guys think (answers in comments)?

Are Google and Facebook devaluing Privacy?

Privacy Advocates often say that Google and Facebook are devaluing privacy and we use various arguments to support our claims, mostly based around the fact that their entire business models are based on making you and I their product - we are no longer people, we are a commodity traded around the world on a minute by minute basis without any control over how we are being sold. Effectively we are digital slaves, being sold not just to the highest bidders but anyone who is willing to pay money for us, effectively dilluting the value of our privacy exponentially with every single sale.

These are strong arguments and I have used them time and time again in speeches I give at conferences and consultations around the world, but as a social scientist, empirical evidence is always stronger than abstract ones and now we have an opportunity to provide it.

A couple of weeks ago Facebook released their financial results for 2011 and at the time I tweeted that based on those figures, our privacy was worth $4.38 last year at Facebook (based on profits / number of Facebook users) which in turn amounts to a paltry $0.012 per day.

Today Google announced they would start paying people to opt-in to deep monitoring of their online behaviour using Chrome.  They haven't gone into a great deal of detail on how deep this monitoring will go, but let me suggest that it will go beyond merely caching the web sites you visit.  Given that Google have stated they will analyse how you interact with those pages it is not a stretch to suggest that this data will include not just the web sites you visit but very fine detail on how you use those sites such as the links you click on, where you move you mouse pointer, how long you spend on each page and a whole lot more.  For this you will be remunerated through $5 Amazon vouchers upto a maximum of $25 dollars - and since Google haven't set a time limit on this, one can only assume that that $25 is the maximum for life (or for as long as you conitnue to use their Chrome browser).

So there we have it, Facebook value your privacy at ~$4.38 a year and Google value your privacy at $25 in total.  To put this in context, most privacy laws were created after World War II in response to the behaviour of regimes such as the Stasi, to ensure that never again would human beings be treated in such inhumane ways; privacy was one of several other fundamental rights codified in law under various Human Rights treaties and legislation around the world.

The number of people in allied countries believed to have been killed in World War II is estimated to be in the 10s of millions, these people all died in the name of liberty, they died to create the world we live in today, they are the sacrifice the world paid to build our Human Rights framework.  I think their families and friends would agree with me that their lives were worth a lot more than $4.38 or $25 worth of Amazon vouchers; I would argue that the weight of the sacrifice makes our fundamental rights priceless.

I often find myself remembering the first speech I ever gave on privacy 15th April 2008 at the London based "Town Hall Meeting" about Phorm, where a veteran from World War II said through tears that his friends died for our rights, a 20 second moment of my life that will remain with me forever and even now puts a lump in my throat and brings tears to me eyes.

If ever you wanted empirical evidence that Google and Facebook devalue privacy, I hope this post has provided it for you.  Don't throw away rights that people died for, don't Opt In to Google's $25 insult and don't ever forget the millions who died to give you those rights.

Who Regulates the Regulator?

Take yourself back to May 2011, the month that changes to the ePrivacy Directive (Article 5(3)) were supposed to be transposed into national laws across Europe; the purpose of the changes was to better protect European Citizens from unauthorised behavioural tracking of their online activities.  This was a change I had pushed for over the previous years through my privacy work, so obviously I was looking forward to seeing the outcome of what had been a very tiring and long process.

Things were looking good at the beginning of the month, the Information Commissioner's Office were making very positive noises about the changes and it looked like everything was going to go ahead without a glitch.

Enter Ed Vaizey (Minister for Department of Culture, Media and Sport - DCMS) from stage left - Ed is very industry friendly and had been lobbied relentlessly by the advertising industry to weaken the changes when adding them to UK law - in fact the UK had already tried to have the wording changed in the Directive by sending a memo to the European Commission in November 2009 - they failed in that endeavour, largly thanks to the resolve of Commissioner Reding, but they did manage to get a Recital added to the final implementation of the Directive (Recital 66) suggesting that browser controls might be a valid form of consent removing the need for prior informed consent (a suggestion which has been widely debunked since by various European Commissioners and the Article 29 Data Protection Working Party).

Around the same time, Google held a "Big Tent" event in the UK and it was brought to my attention that Eric Schmidt had been seen entering 10 Downing Street around the same date.  Over the course of the next few weeks leading up to the deadline to implement the changes into national laws, there was a significant shift from the Information Commissioner who eventually issued a statement that they would not begin taking enforcement action until 12 months after the law was changed - which in itself was problematic as they were effectively ignoring the law they have a duty to enforce.

Obviously I was concerned, I had worked very hard on these issues, they had been my life for the previous 3 years and I became suspicious given the information I had been passed by various third parties.  So I decided to apply for disclosure under the Freedom of Information Act 2000 to find out whether the Information Commissioner's Office (which is supposed to be independent of Government) had been coerced into their 180 degree change of position by a government agency, specifically the Department for Culture, Media and Sport.

I sent the following request for information to DCMS on 27th May 2011:

"Dear Department for Culture, Media and Sport,

It has come to my attention that Ed Vaizey held a private meeting with Eric Schmidt on (or around) 18th May 2011.

Please provide details of the purpose of this meeting.

Please also provide minutes of this meeting and if no minutes were taken please explain why.

Please provide copies of any correspondence between DCMS or Ed Vaizey and Google or Eric Schmidt regarding the upcoming changes to UK Law in relation to the changes to 5(3) of the ePrivacy Directive."

I received a response as follows:

From: Matt Brittin
Sent: 06 May 2011 14:48
To: [Ed Vaizey]
Subject: Revised ePrivacy Directive

Dear Ed,

Google welcomed the UK Government's recent positive response on the revised ePrivacy directive. In particular, how a user will gain consent in the context of clarity about the purposes of access to their information. We also welcomed the Government's support for the cross-industry self-regulatory initiative for behavioural advertising in meeting the requirements of the Directive.

We will also continue to work with the Government to enhance users' ability to understand and organise web browser settings and other applications to their choice. Our agreed approach was to make participants in the advertising value chain responsible for the provision of clear information to the user alongside straightforward tools for managing the use of cookies and data.

However, the drafting of the Statutory Instrument (which the Internet Advertising Bureau (IAB) has shared confidentially with us and which we are disappointed to hear has already been laid) adds new language to that of Recital 66 to the effect that consent is given by the subscriber or user via the amendment or setting of controls. We are extremely concerned about the implications of this. This is not the wording in the Directive and therefore is not the approach that the DCMS consulted upon last year. As such, it appears to be `gold-plating' a European Directive in a way we understand the Coalition Government has committed not to do. The language of Recital 66 itself is quite sufficient without making it technically prescriptive in this way. It says: "Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application".

Both the French and Irish Government's wording on browsers are almost verbatim from Recital 66 and are, as a result, far more business-friendly. The UK is currently the largest per capita e-commerce market in the world and we risk throwing our competitive advantage away if the UK does not reconsider its approach towards the implementation of this Directive. It is worth noting that the French seem unconcerned about transposing the Directive late in order to consult with valued industry stakeholders on their proposals. We would urge the UK to take a similar approach to ensure that industry are given a chance to feed in to the process before legislation is passed.

Best wishes,


Matt Brittin - MD UK & Ireland Operations, Google

As you might expect, I was outraged, the communication clearly shows that Google suggested the UK Government should ignore the deadline to implement the changes in to UK law - which is exactly what happened.

This illustrated to me that the DCMS had colluded with a private company to break European law (implementation of the changes was a legal requirement), it was a clear conspiracy and I wanted to know how deep it went.  I spent the next 8 months thinking about how best to move forward until finally in January this year I decided to file another FOI request - this time with the Information Commissioner's Office to find out what ICO and DCMS has discussed leading up to the May deadline as follows:

"Dear Information Commissioner’s Office,

Please provide copies of all communications between the Department for Media, Culture and Sport (and/or Ed Vaizey) and the Information Commissioners Office (and/or Christopher Graham) between January 1st 2011 and May 26th 2011 with regards to changes to the ePrivacy Directive due to be transposed into UK Law by 26th May 2011."

Yesterday the Information Commissioner's Office replied to the request with a copy of two letters (one from the Information Commissioner to Ed Vaizey and the other, Ed Vaizey's reply, both of which can be found here.

There is some useful information in the exchanges but nothing particularly incriminating, I have filed a further request for disclosure of communications between Ed Vaizey and the Information Commissioner throughout 2010 including the August correspondence referred to in the letters.

However, this was only a part response, the Information Commissioner's Office refused to disclose communications between themselves and DCMS as follows:

"We have considered further correspondence between DCMS legal advisers and the ICO but have found that this is exempt under section 42 Freedom of Information Act 2000 (FOIA) Legal Professional Privilege.
Section 42(1) states that ‘information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of
communications could be maintained in legal proceedings is exempt information’.
When considering whether to apply it in response to a request for information, we must consider a public interest test.  That is, we must consider whether the public interest favours withholding or disclosing the information.   
In this case the public interest factors in disclosing the emails are:

* Increased transparency in the way in which the ICO communicates with organisations important to its business   
* Furthering the understanding of the implementation of new regulations

The factors in withholding the information are:

* the public interest in maintaining the ICO’s ability to be consulted on matters of importance to its interests and regulatory functions.
* the public interest in allowing organisations with shared interest the ability to consult and discuss complex legal issues with the aim of better understanding each others position. This will allow the issues of concern to the general public to be discussed and debated in details.

Having considered all of these factors we have taken the decision that the public interest in withholding the information outweighs the public interest in disclosing it.  Therefore in this instance we are unable to provide you with the correspondence in question.
Further, we have considered other correspondence between relevant ICO staff and relevant members of DCMS staff and found that section 36 (2) (b) (ii) FOIA is engaged.
With regard to this information it is in the opinion of the Qualified Person  that section 36 (2) (b) (ii) is engaged and that the disclosure of the information would be likely to inhibit the free and frank exchange of views for the purposes of deliberation
However, section 36 is a qualified exemption and so we turn to the public interest test.
The public interest factors in favour of disclosing the information are:

* increased transparency in the way the ICO has communicated with DCMS and the increased understanding of the issues discussed
*  Furthering the public confidence that issues of importance and of interest are discussed at the appropriate level and in appropriate detail

The public interest factors in favour of withholding the information are:

* the public interest in the ICO and DCMS being able to discuss complex points in detail and share ideas prior to finalising these points
* the public interest in DCMS being able to trust that they are able to consult and communicate with the ICO in a manner appropriate to the issues in the knowledge that information provided to the ICO or discussed with the ICO will not be disseminated prematurely or at all, where appropriate
* the public interest in the ICO maintaining a position where it is able to engage with and be consulted by key external bodies in relation to matters which are of importance to its regulatory function."

That is a lot of information so let me start at the top - the refusal to disclose communications between ICO and DCMS Legal Advisors under s42(1).

First of all some background - the exemption is based on what is commonly known as "Attorney/Client Privilege" which is a common law principle that communications between an attorney (lawyer) and their clients are confidential and no-one can be compelled to make such communications public, although the client can waive their right if they so choose.

This is a very odd exemption for ICO to have used, because first and foremost I never requested any communications between DCMS and their Lawyers, I requested communications between ICO and DCMS.  So ICO's use of s42(1) would seem to suggest either one of the following:

1.  ICO were clients of DCMS' Lawyers and therefore believe their communications fall under the Legal Professional Privilege (LPP) exemption; or

2.  ICO were exempting communications between themselves and DCMS because they disclosed communications between DCMS and their Lawyers (which would put DCMS in the position of the client.

On point 1.
ICO are supposed to be an Independent Regulator and therefore would not be permitted to accept legal advice as clients to the DCMS Lawyers due to a conflict of interests which would rightfully undermine their independence, a breach of European law which would undoubtedly lead to infringement proceedings by the European Commission and potentially result in legal action against the UK in the European Court of Justice.

So if this is the case, this clearly supports my concerns that DCMS interfered with an independent regulator as well as colluding with a private corporation to ignore the deadline to implement the changes into UK Law -a very serious situation.

On point 2.
ICO's own guidance to public authorities on when s42(1) exemptions can be used (see here) clearly states that s42(1) can only be used if the communications in question have not been shared with a 3rd party (thus removing the argument of confidentiality) - well clearly if ICO are refusing to disclose these communications they must have them which also means DCMS have shared them with a 3rd party thus waiving their LPP rights.  So it seems that s42(1) exemption would be invalid.

But (and this is a huge but) even if ICO can argue that some how the LPP rights haven't been waived, this is what is known as a "qualified exemption" meaning it must further be subjected to a public interest test.  Again, in ICO's own guidance on s42(1) they state (with relevant case law cited) that if the communications impact a significant number of people, it is in the public interest and therefore disclosure should occur - one of the examples they cite is the enforcement action they took against the Government on the disclosure of the Iraq War memo written by the Attorney General to the Prime Minister.

Given that the changes to the law were to introduce protection of fundamental rights to privacy which impact the entire population, it is clear (given the case law) that the number of people impacted is enough to satisfy public interest and override the s42(1) exemption.

So no matter which way ICO try to paint the s42(1) exemption, it appears to be completely invalidated by their own guidance (ICO are the regulator responsible for enforcement of the Freedom of Information Act 2000).

Now to the second refusal to my request with regards to other relevant communications between ICO staff and DCMS staff, which ICO claim falls under 36 (2) (b) (ii) exemption.

Again this would appear to be complete nonsense as the changes have already been transposed into UK Law and ICO have already released their public guidance on how to comply with the law - so to argue that disclosure of these communications could "inhibit the free and frank exchange of views for the purposes of deliberation" is invalid as the deliberations have already concluded so there is no way disclosing these communications now could have any impact on such deliberations.

Furthermore, this is yet again a "qualified exemption" which means that yet again, the public interest test needs to be applied in order to validate the exemption so the same argument offered above regarding public interest certainly would seem to disqualify these communications from 36 (2) (b) (ii) exemption due to the fact that these discussions impact on the entire population.

There are two very serious issues at play here:

1.  ICO are the enforcement body for the Freedom of Information Act, yet they are ignoring their own guidance in order to avoid responding to an FOI request directed at themselves; and

2.  It leaves little doubt that ICO actually do have something to hide with regards to whether or not their independence was compromised by DCMS.

The entire situation stinks of a conspiracy between DCMS, ICO and the advertising industry (specifically Google) and is clearly unacceptable.

I have filed a request for an Internal Review of ICOs decision not to disclose the communications, which I suspect will yield no favourable result which will require me to then file for a Tribunal.  I will publish further information as it becomes available.

Appeal: Can you help bring my family home?

This is the strangest thing I have ever written and I am not entirely comfortable writing it because like many, I don't feel comfortable asking for charity; the only reason I am even considering this is because a friend suggested it.

Anyone who knows me, knows my work and how dedicated I am to it.  They also know that for the past 4 years I have worked mostly for free with just the occassional private contract to cover my household bills and feed my family.  I have never earned enough to save for a rainy day and we live a very modest life, month to month.

But 8 months ago we discovered we were expecting our second child and were faced with a dilemma, our house is very small (1.5 bedrooms) and was already too small for our family of 3 (I have a 6 year old son), we couldnt even fit a full sized single bed in our son's bedroom.  The house was also in a state of disrepair with a leaking roof which left the first floor walls covered with black mould - but we had never had the funds to make the repairs needed.

With the news of the pregnancy we had to do something so we started to get work done on the house to fix the existing problems and try to make more space for the arrival of our new child.  We started by repointing the entire house to resolve some of the damp issues and then borrowed £4000 from my father-in-law to have the roof lifted, waterproofed and refitted (our house was built in 1862 so did not have any waterproof membrane under the slates).

Once that was done we realised we needed to somehow create a 3rd bedroom so we started work converting the loft space, which meant we had to change the layout of the first floor to put stairs up to the loft.  This gave us the opportunity to move the existing bathroom into my son's small bedroom and change the old bathroom into a more reasonably sized single bedroom (only 2.5 meters x 3 meters but big enough to put in a real bed).

We had to do the work a little at a time as we could afford it - this led to the project taking much longer and with all the dust (we had to take the walls back to the stone in all the rooms to deal with the mould, re-render, re-plaster and have new electrics installed) and with my partner being pregnant, plus the bedrooms being unusuable - we decided it would be safer for my partner and son to move into her father's house temporarily until the work was finished.

Sadly the costs ended up being far higher than we had originally anticipated which meant the project has taken far longer.  My partner and son moved out in late August but due to there not being enough space at her dads for all of us and my work requiring me to be at home, I had to stay behind.  We expected the work to be finished in early December but again due to costs this didn't happen, and now the work has stalled due to finances.

I missed most of the pregnancy, my work is very important and we both decided that it was better for me to keep working.  It gets pretty lonely living in a single room with no kitchen, power only in that 1 room with your family on the other side of the city, it gets pretty depressing too.

In the last week of January, I had to go to Brussels to co-host a privacy event at the CPDP Conference, my partner at this point was very pregnant but had another 3 weeks to go until the baby was due to arrive.  The day after I arrived in Brussels, I got a phone call telling me my partner had been rushed into hospital with bleeding - it turns out she had a torn uterus so the hospital decided to get the baby out as soon as possible; she was born 2 days later, a healthy, beautiful little girl.

But the house is still a long way from completion and work is still stalled until I can raise the funds to complete it - I am missing beginning of my daughter's life and it is hard, I miss my whole family and I want them to come home.

I need to raise around £6000 to complete the work, so on the advice of my friends I am appealing to you, the public to help me bring my family home.  I have worked relentlessly for the last 4 years fighting for the fundamental human rights of everyone, the right to Privacy.  I speak about privacy all over the world at various events; I engage in consultations on the development of law or changes to existing laws to ensure that privacy still exists in the future for us and our children; I hold companies to task that seek to remove that right or ignore that right by profiting from the sale or monetisation of our personal data and I do all this for free.

But free doesn't pay the bills, it doesn't feed my family and it doesn't get my house fixed so my amazing son, my beautiful partner and our wonderful baby daughter can come home.  The paid contracts I manage to get are few an far between (3 in the last 4 years) and don't provide the means for us to complete the work in a reasonable time frame.  Without your help, my family will not be able to come home until June, almost 10 months after they had to move out.

£6000 doesn't seem like a lot of money, to many it isn't, but to me and my family it is like a mountain standing in the way of us being together.

Some people might argue that I should give up my advocacy work and take a paid job, but that is not an answer to me or my family, my work is important and I have dedicated the rest of my life to it, through better or worse, with the full support of my partner.  I am proud of what I do and I am not willing to stop, there are too few of us already and these issues become more numerous every single day.

So I am asking you, the public, to reach into your pockets and donate something to help me bring my family home, however small a sum, it will mean a great deal to us.  I dont know if this will work, many people will not know me or my work, but I have to try, I want my family back home, I don't want to miss the beginning of my daughter's life.

So if you want to donate, you can do so via PayPal by sending money to

If you want to contact me, then please feel free to look me up on Twitter under the username @alexanderhanff

Bring my children and partner home, please.

TalkTalk cleared by ICO to commence stalking their customers online.

The BBC yesterday ran a story about TalkTalk's plans to commence with trials of a new malware warning system despite anger from the public that the system tracks them around the Internet.  The technology, referred to by customers as "StalkStalk", intercepts the web communications of TalkTalk's customers then immediately sends a robot (software not a tin man) to the exact same pages viewed by those customers, at which point it scrapes the web page and runs an analysis on it to check for malicious content.  If the page is considered to be malware free it is added to a white list for 24 hours - if a page is considered to host malware then it is added to a black list for upto 7 days.

On the face of it many people might be quite happy and see it as a valuable service - but the reality is that such use of technology is against the law in the UK and much of Europe.  But there is another issue with this in that the Information Commissioner's Office (ICO) - the regulator responsible for enforcing the Privacy and Electronic Communications Regulations (PECR), are reported to have cleared the technology.

The BBC reports that ICO's issued the following statement:

"We have advised Talk Talk on the safeguards which are necessary to comply with the Data Protection Act and the Privacy and Electronic Communications Regulations."
The problem is that the technology cannot comply with PECR Regulation 7 unless consent is obtained from TalkTalk's customers and TalkTalk have already made it clear that they will not be seeking consent nor will they allow customers to even "Opt-Out" of having their communications data intercepted and their every move on the web shadowed by TalkTalk's "service".

Regulation 7 states the following:
Restrictions on the processing of certain traffic data
7. (3) Traffic data relating to a subscriber or user may be processed
and stored by a provider of a public electronic communications service if—

(a)such processing and storage are for the purpose of marketing
electronic communications services, or for the provision of value added
services to that subscriber or user; and

(b)the subscriber or user to whom the traffic data relate has given his
consent to such processing or storage; and

(c)such processing and storage are undertaken only for the duration
necessary for the purposes specified in subparagraph (a).

(4) Where a user or subscriber has given his consent in accordance with
paragraph (3), he shall be able to withdraw it at any time.
It is important to note that 7 (3)(a) and 7(3)(b) are both appended with the word "and" which means that 7(3) is only permitted once all the conditions are met through 7(3)(a) - 7(3)(c) - this is the crux of the issue.

TalkTalk have stated that they will obtain prior consent via an Opt-In mechanism before it serves customers with warnings about potential threats, but that consent mechanism does not extend to the interception and stalking of customers' online activities.  This is made clear by a "FAQ" posted to TalkTalk's user forums:
"7. Will only customers who sign up to Network Security have the websites they visit scanned?"

"We are scanning all the websites our customer base as a whole visits, in complete anonymity, You have to opt-into the Virus Alerts product itself, so if you don't want the warnings while you browse you don't have to enable the service, or if you activate Virus Alerts, you can switch it off again at any time afterwards."

Many people commenting on this issue are misunderstanding the purpose of PECR and assuming that because TalkTalk state they are not processing personal information and that they anonymise the data, that they are not breaking the law.  The problem is, we are not dealing with the Data Protection Act here - which is specifically concerned with Personal Information; we are looking at PECR which covers private communications not personal information.  To state that this technology complies with law because of anonymisation is a red herring and completely irrelevant for the purposes of PECR.

TalkTalk also state they are not processing private communications, but that they are processing network communications - this simply is not true.  PECR clearly states that "Traffic data relating to a subscriber or user" requires consent - the fact that TalkTalk are intercepting customers' traffic data and then following them directly to the page they just visited can only be defined as "traffic data relating to a subscriber".  As for the "not processing" argument - again they are processing the data, they claim to strip out session IDs and other data which could be used to identify the customer and they are acting on the data they obtain when the intercept those communications in the first place; therefore it is ridiculous to claim that this is not "processing".

Many people might ask "well what is the problem, they are only trying to make the Internet safer for their customers?" - yes they are, but they are doing it in a way which is illegal and earlier trials of the technology this year proved that TalkTalk were not doing what they said they were.  For example, TalkTalk claimed not to visit any pages which are dynamically generated for a specific user (such as a forum control panel or shopping cart) but that was proved not to be the case.  Several system administrators and web site owners reported that TalkTalk's robots were using captured session IDs and URL parameters to directly access private pages.  Furthermore, there simply is no need for TalkTalk to be doing any of this in order to provide a malware alert service - there are already several services TalkTalk could utilise and most modern web browsers already do this, which raises the question of whether or not TalkTalk's system is completely redundant.  To stalk people around the Internet in order to protect them is akin to wire tapping your phone to let you know when a malicious call is incoming - with the caveat that in order to detect malicious calls they have to listen to every single call that the line is used for.

At the end of the BBC article the ICO also add:

"it would take seriously any complaints it received about the service but said it had not received any to date."
(emphasis added)

This is blatently untrue. On Friday 13th August 2010, I had a meeting at ICO's head office with a senior member of ICO's staff.  The TalkTalk issue was discussed at length (probably more than 1/3rd of the meeting) and it was made very clear this was a complaint and a outline of the action ICO were planning to take was discussed.  Furthermore, after that meeting I was asked to provide a list of questions which addressed customers' concerns for ICO which they would ask at a meeting with TalkTalk on Monday 16th August 2010 - which after consulting with various customers, was provided.  I also know for a fact that several people wrote formal complaints to ICO in the month leading up to that meeting.

So it seems we have a number of issues here:
  1. ICO are once again showing that they are unwilling to take enforcement action against big industry players.
  2. ICO do not understand the Privacy and Electronic Communications Regulations which they are mandated to enforce and have repeatedly made the error that commercial interception of private communications is permissable without consent, if it is for the purpose of a value added service (they made the same mistake with Phorm) - whereas the regulations explicitly state the opposite.
  3. TalkTalk will continue to intercept the private communications of their customers for the purposes of shadowing their every activity on the web - but they will do it now with the full support of the regulator.
  4. ICO have once again shown to be enveloped by regulatory capture.
I should also make it clear that TalkTalk's technology fails to comply with the Regulation of Investigatory Powers Act (RIPA) - which makes commercial interception of communications a crime if no consent it obtained.  I have chosen not to go into detail over RIPA in this piece for a number of reasons:
  1. The UK are currently involved in a legal case with the European Commission for failing to implement European Directives governing interception of communications appropriately.  The Commission have commenced with a case in the European Court of Justice claiming that RIPA is in breach of European Law.
  2. RIPA is currently under review and we are in the middle of a consultation period (ending December 17th 2010) - until that consultation period concludes and the review is complete, it is difficult to know how RIPA will eventually look.  Currently it is looking as though the Home Office are going to make it even worse by making commercial interception a civil matter with a maximum £10 000 fine (whereas state interception will remain a crime unless a warrant is obtained) - this is a very serious concern but that is the subject of a future discussion and is beyond the scope of this article.
In conclusion, it would seem that the public cannot rely on ICO to protect their private communications and as such, it is my recommendation that all TalkTalk customers cancel their contracts as soon as TalkTalk go live with their trials.  It is my belief that this would be a material breach of customers' contracts and if TalkTalk update their Terms and Conditions in order to counter this argument, it would be a material change to those contracts which under UK Law allows customers to cancel the contract without penalty.  I will be taking this issue to the EU Commission and appeal to the public to email complaints to Vice President Neelie Kroes at the European Commission, who is responsible for ePrivacy and related EU Law - you can email Ms Kroes here

I am not a lawyer, but I spend a great deal of time dealing with and researching law - it is my sincere opinion that my analysis in the paragraph above is correct, but please, if you have any doubts or questions, contact a solicitor.

BBC Article on TalkTalk
TalkTalk FAQ on their User Forums

Google's claim that location sharing in Android is "Opt In" is false

Some time ago I tweeted my concerns that despite Google Android asking whether consumer would like to enable Location Sharing (opt-in) during the initial device setup, one still had to manually disable location sharing in Android's web browser - this is enabled by default even if you don't opt-in to location sharing during the initial device setup.  This, in itself, is enough to stifle Google's claim about Android location sharing being Opt-In.

However, to make matters worse, when you install an Android update (as I did with Froyo and soon will again with Gingerbread) it reverts the browser setting for location sharing back to "On".  This is completely unacceptable and only now (after several months) have I noticed this because one assumes that once you disable it, the setting will persist.  It is only because the issue came up again today that I checked my browser settings, to find that it had been "on" for several months.

Furthermore, it has been reported that the Android Twitter Client also reverts location sharing back to "on" when it is updated.

I would advise anyone who has an Android device and does not want to disclose their location to the world and his dog, to go into any net facing apps (including browser and social networking clients) and check that location sharing is turned off.

I will be discussing this with Google over the next couple of days "suggesting" that this is dealt with before Gingerbread is released by making the default option for the browser and other apps set to disable location sharing - either that or the initial setup where one can "opt-in" to location sharing needs to persist across ALL applications including the browser and social networking apps.  I will post updates when they become available.

Google/Verizon represent one of the most serious threats to the Internet ever

A joint statement by Google and Verizon which appeared on Google's Public Policy Blog summarising an agreement between the two giants which they are planning to push to legislators in the US.

"Today our CEOs will announce a proposal that we hope will make a constructive contribution to the dialogue. Our joint proposal takes the form of a suggested legislative framework for consideration by lawmakers".

The blog entry provides a summary of the seven main points from the agreement and everyone should have serious concerns about their plans and make every effort to lobby their political representatives to ensure that such proposals never become law.  Why?  Because they have the potential to destroy the Internet as we know it.  No I am not exagerating and I will explain why.

Point number one in the summary states the following:

"First, both companies have long been proponents of the FCC’s current wireline broadband openness principles, which ensure that consumers have access to all legal content on the Internet, and can use what applications, services, and devices they choose."

As a libertarian this causes me serious concern and that concern stems from the words "access to all legal content".  This is a very serious situation especially in a month where the Pentagon have demanded Wikileaks return confidential military documents sent to them by an as yet unknown individual.  The problem with legislation which allows for content to be turned off is that it poses a significant danger for free speech and democracy. 

For example, Wikileaks is not illegal yet this new legislation would allow the Federal Government to force Internet Service Providers to block access on a nationwide level.  Today it is Wikileaks, tomorrow it might be a politcal rant and next week it might be a resource on abortion.  The problem exists in who defines what is illegal and what oversight will be put in place - will the policy be transparent or will the blocks take the form of secret lists - what about false positives and what action will be available to sites wrongly censored?  Furthermore what about human and constitutional rights based on Freedom of Speech and Freedom of Expression?

Before anyone comments that this will never be abused and only sites which can be absolutely defined as illegal could be blocked, I would like to remind you that historically - when a law can be abused, it generally has been.  For a prime example look at the Sunset Clauses of the PATRIOT Act - pieces of law which were only ever supposed to be temporary specifically because of their impact on civil liberties, which have since become permanent.  If you think this new legislation won't be abused you are naive at best and given the vast power yielded by the corporate lobby in the US you can be sure that organisations such as the RIAA/MPAA etc. will be bringing their full weight to bear in the blocking of what they consider to be infringing content even if a court has never determined it to be so.  This is the beginning of an incredibly slippery slope and if I were a US citizen I would be deeply concerned about the erosion of my constitutional rights - even as a European, I am deeply concerned about the impact this proposal could have on the global community.

The second area for concern comes under point six as follows:

"Sixth, we both recognize that wireless broadband is different from the traditional wireline world, in part because the mobile marketplace is more competitive and changing rapidly. In recognition of the still-nascent nature of the wireless broadband marketplace, under this proposal we would not now apply most of the wireline principles to wireless, except for the transparency requirement. In addition, the Government Accountability Office would be required to report to Congress annually on developments in the wireless broadband marketplace, and whether or not current policies are working to protect consumers."

This is completely unacceptable.  Google and Verizon are proposing that Net Neutrality should be codified in law for wired networks but that the same principles should not be adhered to Wireless networks and it is clear to see why.  Google and Verizon both have a significant stake in mobile data - Verizon through their infrastructure and Google through their Android platform.  For two companies with a vested interest in the abuse of network communications, to recommend that those same networks should not be regulated, is effectively giving themselves open license to abuse communications on a mass scale.

I am not being an alarmist here - it is very clear that Google plan to manipulate mobile data in any way they can to enhance their advertising services (enhance for their customers not their users) particularly with the use of location data.  If there is no regulation for Wireless Networks you can guarantee that any wireless services you use will be subjected to manipulation at every level.  Examples of this might be for Google to make deals with wireless providers which block access to all other streaming video services other than YouTube (bye bye Vimeo etc.) or for Verizon to block VOIP access which has been an issue with various carriers for a long time already.

The consequences of these proposal are an illustration of exactly why Net Neutrality is paramount for an Open Internet.  Are you, the American People, the Land of the Free - are you going to allow two corporations to dictate the shape of access to online resources and systematically destroy any notion of freedom or net neutrality in a single blow - or are you going to stand and up stop them?

The world awaits your response but remember if you don't act, don't complain when your remaning fragile civil liberties have been erased because it would be by your own hands and what takes six months to destroy will take generations to rebuild.

Should we trust Google regarding WiFi Scandal?

Google have claimed to the Press and Media that the latest privacy scandal regarding their interception of Internet communications whilst sniffing out WiFi hot spots with their Streetview cars was an "accident".

They have stated that the code was being worked on for a different project and somehow managed to get inserted into the Streetview project - and frankly that doesn't wash.

Having worked on large IT projects for 15 years I have a strong understanding of the design, developement, testing and deployment cycles fo such projects, so let me explain a little how it works.

1.  The Design Phase
As the title suggest this phase is where the project is originally defined and designed.  Normally at the beginning of this phase there would be a very high level concept design which would not include any "code" as such - its purpose would be to give management and executives a human readable outline of the design principles and purpose of the project.

Once this has been signed off by management and a project leader/manager has taken control, that design concept will be fleshed out to make it ready for the engineers - this would result in documentation still at quite a high level (human readable) with perhaps some "pseudo code" but certainly nothing more.

The output from this phase would consist of lot of reference documents, technical glossary, project plan and a lot of documents defining technical functionality and specifications - these would then become the core knowledge resources for the entire project and would be used by developers, testers and even management, throughout.

2.  The Development Phase
Nothing too complex in describing this phase - it is what it says on the tin.  Using the design references and technical specifications the engineers would develop the code base for the project.  They liase with the Designers frequently and once they have some code it goes off for testing and debugging.

3.  The Testing Phase
Testing and Debugging will be heavily reliant on the technical specifications and various other documents from higher up the chain.  Test environments would be setup to mimic the real world and extensive testing of every single piece of code is carried out.  This is one of the most important phases in any IT project and it lasts a long time.  Every single byte of data which is produced by the tests is inspected to ensure that it is working as planned.  It never does, at least not in the early phases of project so there is a lot of interaction between developers and testers and again a lot of interaction between developers and designers.

4.  The Deployment Phase
In essence once a project has been thoroughly tested and is seen as stable it will be deployed into the real world - this doesn't mean that the three previous groups become obsolete - in fact they would continue to redesign, redevelop and retest in order to add new features, remove features which are not needed and deal with bugs or unexpected behaviour which was not picked up in the labs.  And believe me, these -always- manifest - I have yet to work on a large project which works as desired first time round, it simply doesn't happen.  The project manager has to deal with change requests, bugs, resource issues, efficiency issues and a whole bunch of other things.

So the question is how does a piece of code "intended" for another project entirely, manage to find its way into the project without being noticed?  The short answer is that it doesn't, it simply is not possible because of the very granular method in which projects are developed.

At the very worst it would have been picked up in Phase 3 (Testing) as the data coming back from the test environments would include all this "accidental" data and would be picked up by the people doing the testing.  At this phase in order for it to be "rogue" code one would assume there would be no technical specifications for that code which would immediately ring alarm bells with the testers as they find they have all this data which is not defined.

Even if it was missed during the testing phase (which is incredibly unlikely) it would certainly be noticed in the data coming back during the early stages of deployment - which is always examined thoroughly - you simply cannot fail to notice all this incoming data containing the contents of Internet communications.

Furthermore, one has to assume that the size of this data (considering it has been collected for over 3 years) would be significant - probably hundreds of terabytes - that all has to be stored somewhere and believe me when I say Database and System Administrators know their systems very well indeed, it is their job to know what is in their systems and why it is there - they need to know this to keep on top of resources, manage access control and backups - you can't store all this extra data accidentally, it takes physical space, money and real man hours to manage it.

So do I trust Google when they say it was accident?  Absolutely not - they knew they had the data, they knew where and what that data was and they stockpiled it for 3 years - and it is likely they would have continued to do so had Germany not demanded to know what data they were collecting.

Google may well be able to pull the wool over the eyes of regulators, press, media and the general public - but anyone who has worked professionally on large IT projects knows full well that this was no accident - it just doesn't happen that way.

Deleting my Facebook Account

Earlier today I made the following announcement on my Facebook "Wall":

To all my friends, family, followers.

As a privacy advocate working for one of the world's leading privacy organisations, I have decided that I cannot with good conscience continue to use Facebook as a tool and resource for my work. As such, I will be deleting my facebook account at 13:00 (1pm) BST today.

Any person who wishes to keep ...up to date with my work and to continue to communicate with me may do so via my Twitter feed at:

Facebook's continued exploitation of their users personal and private data is completely unacceptable.

In closing, I would recommend to all my friends, family and followers to also delete their own Facebook accounts if they value their privacy and personal security. Facebook is neither a safe nor secure service for you or your family members to use - particularly your children who are being aggressively targetted by the marketing companies which fund many of Facebook's 3rd party applications.

Reply to a letter from my local Labour Candidate

I sent a letter to all my local political candidates regarding the Digital Economy Act as part of the ongoing campaign by Open Rights Group (see here: and the first response I received was from Clive Grunshaw from Labour - so I took the opportunity to send him another letter which I have published below. I urge everyone to consider these issues when they vote on polling day and I urge Labour to try to comprehend the damage they have done to our society.


As someone who works in the privacy sector as an advocate, campaigner, lobbyist and consultant it should be easy to understand that I have become disillusioned by the Labour Party over the past 13 years.  I voted Labour in 1997 and I literally wept with joy when the election was won after being raised for most of my life under Conservative reign.  But now 13 years on I feel like it was the worst political decision I ever made - regret doesn't begin to explain how I feel.

The erosion of civil liberties by Labour over the past 13 years has been so severe that I worry we may never manage to restore much of what has been lost.  The proliferation of CCTV, ANPR, Biometrics, Interception of Communications, Databases, Data Collection and Data Retention (to name just a few) has been so vast and so damaging to society and democracy and for what?  It has cost the public dearly both with regards to their rights and of course tax funds in a time where economic stability has crumbled.

We have seen one of the most corrupt governments in the history of democracy where regulatory capture and a corporatist body politic have destroyed the very definition of democracy for their own gain.  I was on the phone to my MP who was in Westminster the day of the tube bombings - I heard first hand the reaction from the halls of Parliament and the panic caused by this terrorist attack; but whereas it was tragic (as is any loss of of life to terror attacks) I feel that the government have abused it as an opportunity to tighten the reigns on society and create a police state.  The Government have disrespected those who lost their lives and their families by destroying the things that made Britain good.  I would gladly give my life to undo much of what Labour have done with regards to our liberty and human rights.

I have written many papers and been involved in Government consultations on Privacy over the past couple of years but all I see is lip service.  I still don't see any enforcement of the law when big business blatantly abuse their positions of trust and break the law.  I have a criminal complaint still being investigated after almost 600 days against BT and Phorm - a clear cut case of criminal activity which should have been prosecuted so quickly - yet I discover that the average time it takes for the CPS to decide whether or not to prosecute is a mere 9 days.  This sends the message that if you are a big company with lots of Government friends and contracts, you can do whatever you want and get away with it.

I have written about the use of biometrics in our schools which are stored permanently and are available for the police to access; I have read about CCTV in school bathrooms; I have read about GPS tracking on our school buses and children below the age of 10 on the DNA database and again Labour makes me weep just as I did in 1997 but now I weep with shame because my actions in 1997 have led to a world where my now 4 year old son has no liberty.

So I beg of you, explain to me how Labour are going to turn the clocks back and return our country to one I can be proud of - one where the politicians are there to serve the interests of the people not the interests of big business and the interests of politicians.  Tell me that Labour will abandon their plans to monitor and control everything the public do.  Tell me Labour with sever their ties with global corporations which are reaping in profits of billions at the expense of British liberty from contracts granted by the Labour Government.  Tell me that Labour will give us back our dignity, our pride and our liberty.

I don't think you can do any of that - it is my belief that things will continue exactly as they have been and will get worse to and beyond the point of total fascism - to and beyond a point that the Stasi would be envious of - to and beyond a point depicted in distopian literature such as 1984.  Labour have destroyed my world, they have destroyed my son's future and they have destroyed my faith in democracy - nay, they have destroyed democracy itself.

I am ashamed of myself for having voted labour in 1997; I am ashamed of my country and I fear the future regardless of which party wins on polling day.  History tells us that Governments do not relinquish control gained by previous administrations - the damage your party has done will be almost impossible to undo - and I can never forgive that.

I hope you take my concerns seriously; I hope you lay awake at night thinking about the consequences of your actions; I hope you look at your children with the shame I feel and I hope you weep every single day for the loss of democracy and liberty which your party is responsible for.

But I doubt you will.


Alexander Hanff
Privacy International