Tags: privacy

Windows Phone - Not Ready Yet.

I was lucky enough to be given a Lumia 900 by Nokia and I have to admit, I do like the device and I do like the Windows Phone UI - but there are a significant number of problems which need to be addressed.

Firstly, early adopters of the Windows Phone platform have been hung out to dry by Microsoft - 1st generation devices will not be issued with an upgrade to Windows Phone 8, which when you consider those who purchased these devices (as opposed to carrier subsidised devices) paid upwards of £450 for the Lumia 900 and slightly less for the 800, to then be told 8 months later that they will not receive an update for the new version of the Operating System, is very disappointing.  Early adopters cannot be blamed for being very angry at Microsoft for this - there should at least be some form of reasonable trade-in available so early adopters can recover some of the costs whilst still making an upgrade to Windows Phone 8, especially in light of the announcement by Microsoft that Windows Phone 8 will be officially supported for a minimum of 18 months (which just rubs even more salt in the wounds of the early adopters left with Windows Phone 7 devices).

Now to the serious issues with the OS which to my knowledge have still not been addressed in Windows Phone 8.

Network Time Protocol (NTP)
Many Windows Phone 7 devices (particularly Nokia Lumias) suffer from time loss issues.  My Lumia 900 for example, loses several minutes every month, which is incredibly annoying and makes syncing up meetings and conference calls with my Calendar less that satisfactory as I will generally be late if I do so.  There is no way to sync Windows Phone 7 (and as far as I know Windows Phone 8) with a network time server - such a simple fix to implement, but never addressed by Microsoft.

Password Protected Office Files
It is nice to have Office on my phone, but it is useless if I cannot open password protected Office documents.  Given the inclusion of SkyDrive with Windows Phone, it seems to be incomprehensible that Windows Phone does not support opening password protected Office files because anyone who is storing files in the Cloud (SkyDrive) without encryption or password protection, is a fool - especially if said files are business related.

I understand that some of the encryption woes have been addressed in Windows Phone 8 but as far as I know there is no way to fully encrypt the userspace with either version 7 or version 8 of the Operating System - this leaves your contacts, calendar, SMS, email, social network messages and notifications etc. all unprotected - something I take issue with.

Virtual Private Network (VPN)
Windows Phone 7 (and as far as I am aware, Windows Phone 8) has no means of connecting to a VPN.  In the current world where telco's are using Deep Packet Inspection (DPI) to sniff everything you do on their network for the purpose of ToS enforcement or Behavioural Profiling/Advertising, the ability to encrypt all your communications is not just a feature, it is essential - especially on a device used for business communications.  The DPI use is not limited to mobile networks either, the vast majority of free WiFi services across the world are employing the same sniffing technology to inject behavioural ads into the content you view via their networks - that means your emails, the web pages you visit, your online chats or any other Internet Protocol (IP) communication which is not encrypted is being spied on by countless third parties.

Location Tracking
Every single app I have installed on Windows Phone requires me to consent to Location Tracking (literally every single app - it is almost as though it is a default) even though I have disabled location tracking in the OS.  This is a massive privacy issue and one which as a privacy professional, makes me particularly angry.  There is no excuse for it, just stop doing it.  If you develop Windows Phone Apps stop asking for permission to things you do not need - the vast majority of apps do not need location tracking and if your ad partner requires location tell them to either provide an option without location tracking, or find another ad partner.  If you refuse to grant location tracking on these apps, they will not install - it is wholly unacceptable.

So, just a few reasons why I am at odds with Windows Phone - all important, all serious and all indications that the platform simply is not yet ready - especially for business use.  That said, neither are Android or iOS which both have their own very serious security and privacy issues - does this mean the only option is RIM?  I have never used or reviewed a Blackberry so I honestly can't comment - although I do have a dozen or so friends who work for RIM and swear by them - what do you guys think (answers in comments)?

TalkTalk cleared by ICO to commence stalking their customers online.

The BBC yesterday ran a story about TalkTalk's plans to commence with trials of a new malware warning system despite anger from the public that the system tracks them around the Internet.  The technology, referred to by customers as "StalkStalk", intercepts the web communications of TalkTalk's customers then immediately sends a robot (software not a tin man) to the exact same pages viewed by those customers, at which point it scrapes the web page and runs an analysis on it to check for malicious content.  If the page is considered to be malware free it is added to a white list for 24 hours - if a page is considered to host malware then it is added to a black list for upto 7 days.

On the face of it many people might be quite happy and see it as a valuable service - but the reality is that such use of technology is against the law in the UK and much of Europe.  But there is another issue with this in that the Information Commissioner's Office (ICO) - the regulator responsible for enforcing the Privacy and Electronic Communications Regulations (PECR), are reported to have cleared the technology.

The BBC reports that ICO's issued the following statement:

"We have advised Talk Talk on the safeguards which are necessary to comply with the Data Protection Act and the Privacy and Electronic Communications Regulations."
The problem is that the technology cannot comply with PECR Regulation 7 unless consent is obtained from TalkTalk's customers and TalkTalk have already made it clear that they will not be seeking consent nor will they allow customers to even "Opt-Out" of having their communications data intercepted and their every move on the web shadowed by TalkTalk's "service".

Regulation 7 states the following:
Restrictions on the processing of certain traffic data
7. (3) Traffic data relating to a subscriber or user may be processed
and stored by a provider of a public electronic communications service if—

(a)such processing and storage are for the purpose of marketing
electronic communications services, or for the provision of value added
services to that subscriber or user; and

(b)the subscriber or user to whom the traffic data relate has given his
consent to such processing or storage; and

(c)such processing and storage are undertaken only for the duration
necessary for the purposes specified in subparagraph (a).

(4) Where a user or subscriber has given his consent in accordance with
paragraph (3), he shall be able to withdraw it at any time.
It is important to note that 7 (3)(a) and 7(3)(b) are both appended with the word "and" which means that 7(3) is only permitted once all the conditions are met through 7(3)(a) - 7(3)(c) - this is the crux of the issue.

TalkTalk have stated that they will obtain prior consent via an Opt-In mechanism before it serves customers with warnings about potential threats, but that consent mechanism does not extend to the interception and stalking of customers' online activities.  This is made clear by a "FAQ" posted to TalkTalk's user forums:
"7. Will only customers who sign up to Network Security have the websites they visit scanned?"

"We are scanning all the websites our customer base as a whole visits, in complete anonymity, You have to opt-into the Virus Alerts product itself, so if you don't want the warnings while you browse you don't have to enable the service, or if you activate Virus Alerts, you can switch it off again at any time afterwards."

Many people commenting on this issue are misunderstanding the purpose of PECR and assuming that because TalkTalk state they are not processing personal information and that they anonymise the data, that they are not breaking the law.  The problem is, we are not dealing with the Data Protection Act here - which is specifically concerned with Personal Information; we are looking at PECR which covers private communications not personal information.  To state that this technology complies with law because of anonymisation is a red herring and completely irrelevant for the purposes of PECR.

TalkTalk also state they are not processing private communications, but that they are processing network communications - this simply is not true.  PECR clearly states that "Traffic data relating to a subscriber or user" requires consent - the fact that TalkTalk are intercepting customers' traffic data and then following them directly to the page they just visited can only be defined as "traffic data relating to a subscriber".  As for the "not processing" argument - again they are processing the data, they claim to strip out session IDs and other data which could be used to identify the customer and they are acting on the data they obtain when the intercept those communications in the first place; therefore it is ridiculous to claim that this is not "processing".

Many people might ask "well what is the problem, they are only trying to make the Internet safer for their customers?" - yes they are, but they are doing it in a way which is illegal and earlier trials of the technology this year proved that TalkTalk were not doing what they said they were.  For example, TalkTalk claimed not to visit any pages which are dynamically generated for a specific user (such as a forum control panel or shopping cart) but that was proved not to be the case.  Several system administrators and web site owners reported that TalkTalk's robots were using captured session IDs and URL parameters to directly access private pages.  Furthermore, there simply is no need for TalkTalk to be doing any of this in order to provide a malware alert service - there are already several services TalkTalk could utilise and most modern web browsers already do this, which raises the question of whether or not TalkTalk's system is completely redundant.  To stalk people around the Internet in order to protect them is akin to wire tapping your phone to let you know when a malicious call is incoming - with the caveat that in order to detect malicious calls they have to listen to every single call that the line is used for.

At the end of the BBC article the ICO also add:

"it would take seriously any complaints it received about the service but said it had not received any to date."
(emphasis added)

This is blatently untrue. On Friday 13th August 2010, I had a meeting at ICO's head office with a senior member of ICO's staff.  The TalkTalk issue was discussed at length (probably more than 1/3rd of the meeting) and it was made very clear this was a complaint and a outline of the action ICO were planning to take was discussed.  Furthermore, after that meeting I was asked to provide a list of questions which addressed customers' concerns for ICO which they would ask at a meeting with TalkTalk on Monday 16th August 2010 - which after consulting with various customers, was provided.  I also know for a fact that several people wrote formal complaints to ICO in the month leading up to that meeting.

So it seems we have a number of issues here:
  1. ICO are once again showing that they are unwilling to take enforcement action against big industry players.
  2. ICO do not understand the Privacy and Electronic Communications Regulations which they are mandated to enforce and have repeatedly made the error that commercial interception of private communications is permissable without consent, if it is for the purpose of a value added service (they made the same mistake with Phorm) - whereas the regulations explicitly state the opposite.
  3. TalkTalk will continue to intercept the private communications of their customers for the purposes of shadowing their every activity on the web - but they will do it now with the full support of the regulator.
  4. ICO have once again shown to be enveloped by regulatory capture.
I should also make it clear that TalkTalk's technology fails to comply with the Regulation of Investigatory Powers Act (RIPA) - which makes commercial interception of communications a crime if no consent it obtained.  I have chosen not to go into detail over RIPA in this piece for a number of reasons:
  1. The UK are currently involved in a legal case with the European Commission for failing to implement European Directives governing interception of communications appropriately.  The Commission have commenced with a case in the European Court of Justice claiming that RIPA is in breach of European Law.
  2. RIPA is currently under review and we are in the middle of a consultation period (ending December 17th 2010) - until that consultation period concludes and the review is complete, it is difficult to know how RIPA will eventually look.  Currently it is looking as though the Home Office are going to make it even worse by making commercial interception a civil matter with a maximum £10 000 fine (whereas state interception will remain a crime unless a warrant is obtained) - this is a very serious concern but that is the subject of a future discussion and is beyond the scope of this article.
In conclusion, it would seem that the public cannot rely on ICO to protect their private communications and as such, it is my recommendation that all TalkTalk customers cancel their contracts as soon as TalkTalk go live with their trials.  It is my belief that this would be a material breach of customers' contracts and if TalkTalk update their Terms and Conditions in order to counter this argument, it would be a material change to those contracts which under UK Law allows customers to cancel the contract without penalty.  I will be taking this issue to the EU Commission and appeal to the public to email complaints to Vice President Neelie Kroes at the European Commission, who is responsible for ePrivacy and related EU Law - you can email Ms Kroes here Cab-Kroes-NK@ec.europa.eu.

I am not a lawyer, but I spend a great deal of time dealing with and researching law - it is my sincere opinion that my analysis in the paragraph above is correct, but please, if you have any doubts or questions, contact a solicitor.

BBC Article on TalkTalk
TalkTalk FAQ on their User Forums

Google's claim that location sharing in Android is "Opt In" is false

Some time ago I tweeted my concerns that despite Google Android asking whether consumer would like to enable Location Sharing (opt-in) during the initial device setup, one still had to manually disable location sharing in Android's web browser - this is enabled by default even if you don't opt-in to location sharing during the initial device setup.  This, in itself, is enough to stifle Google's claim about Android location sharing being Opt-In.

However, to make matters worse, when you install an Android update (as I did with Froyo and soon will again with Gingerbread) it reverts the browser setting for location sharing back to "On".  This is completely unacceptable and only now (after several months) have I noticed this because one assumes that once you disable it, the setting will persist.  It is only because the issue came up again today that I checked my browser settings, to find that it had been "on" for several months.

Furthermore, it has been reported that the Android Twitter Client also reverts location sharing back to "on" when it is updated.

I would advise anyone who has an Android device and does not want to disclose their location to the world and his dog, to go into any net facing apps (including browser and social networking clients) and check that location sharing is turned off.

I will be discussing this with Google over the next couple of days "suggesting" that this is dealt with before Gingerbread is released by making the default option for the browser and other apps set to disable location sharing - either that or the initial setup where one can "opt-in" to location sharing needs to persist across ALL applications including the browser and social networking apps.  I will post updates when they become available.