Links of interest 22 Feb 2010

Not had time to blog much lately, so here are some links to recent developments of interest, in no particular order - and this is just what I've come across in the last 2 weeks or so!

Privacy & security

• Your typing style could identify you uniquely - yet another way to identify an individual internet user through the cadence or rhythm of their typing, another weapon for the de-anonymisation armoury. See Ars Technica, CitMediaLaw comments.
• 10 information security tips for employees developed by ENISA "with the aim of focusing employees' attention on information security and allowing them to recognise IT security concerns and respond accordingly"
• Tracking people - Autonomous Production of Images based on Distributed and Intelligent Sensing (APIDIS) system for tracking ball and players in sports matches "could also be useful for surveillance, when it could track groups of people on CCTV networks"
• Forging passports (including British) to use in relation to an assassination is scary indeed. See Amberhawk, Reuters. (ID cards can be faked, techies knew that even if the UK government didn't seem to want to.)
• Internet safety
  • Child internet safety tips for parents & guardians - ENISA's 10 points, just issued.
  • Social networking safety - the EU's general report and individual assessments of the safety of popular social media sites like Facebook, independently evaluated against the EU's Safer Social Networking Principles - e.g. see the report on Facebook.
• Linking offline shopping behaviour to online ads - Yahoo & Sainsbury's Nectar make deal allowing online advertisers to target consumers based on their high street purchases, linking high street supermarket spending with the consumer's Yahoo! login (though it appears to be opt-in, at least) - IAB
• Webcam spying - the stuff of movies, someone spying on you through your computer's webcam and mic, but a US school seems to have been watching students (and their families?) at school and and home using school-supplied laptops, and rightly have been sued - BoingBoing; the BBC have picked it up; Ars Technica say the school's backed down.
• Ubercookies and identifying website users - Arvind Narayanan describes how "ubercookies" can be used to identify visitors - first, the history stealing and group membership correlating technique I mentioned previously, then more sophisticated attacks using what you share and other "footprint" traces you leave on the web; and next a bug in Google Docs (which Google said they'll fix) that lets sites identify you too.
• Security - Chip & PIN cards can be used without knowing the PIN - Light Blue Touchpaper
• DNA retention boo boo - 5 case studies submitted by Home Office to MPs to justify retention of innocent people's DNA were actually 4 with one being included twice… ComputerWeekly
• ACTA (Anti-Counterfeiting Trade Agreement) negotiations -
  • Ars Technica on the leaked internet chapter aimed at combating online copyright infringement
  • Opinion of European Data Protection Supervisor - speaking up on the importance of privacy & data protection, and against "three strikes" internet disconnection policies. Out-Law report.
• Government, business and social networking logins stolen through Kneber botnet virus - Reuters, ComputerWeekly
• PleaseRobMe.com - lots of coverage of this site which aims to raise awareness that announcing your location publicly online, including the fact that you're not at home, may not be a good idea, particularly with the rise of location related services or games like FourSquare - BBC, TechCrunch
  • Broadstuff: "I took one of the people on the first PleaseRobMe screen I looked at… and found their home address via a quick use of Twitter and Google. Took 5 minutes or so (the person was about the 10th I tried). You could fairly quickly build some algorithms to automate that mashup process".
• People's locations & movements are predictable - study of "cellphone traces" showed that "regardless of whether a person typically remains close to home or roams far and wide, their movements are theoretically predictable as much as 93 per cent of the time." This USstudy made use of cellphone records collected for billing purposes and anonymised, but of course I wouldn't be surprised if someone didn't manage to de-anonymise them…
• Top 25 programming errors that jeopardise security, updated. ComputerWeekly said New York State is updating its procurement terms (application security procurement language) to address these top 25 errors, with other states to follow. Will the OGC ensure UK government procurement requirements are updated too?
• Google Buzz privacy debacle (exposing key Gmail contacts & Google Reader shared items to the world, etc) & complaints galore -
  • It's like releasing crocodiles into a school! (Robin Wilton - though I think uncontainable "noxious vapours" may be a better analogy than crocodiles, perhaps…); Newsweek got in on the action too; and there's Google Buzz lets pervs stalk your kids, not at all good if someone called “iorgyinbathrooms” is following your child
  • Cue complaint to FTC by EPIC (see complaint) and a class action lawsuit.
  • See Arvind Narayanan on Buzz, social norms & privacy
  • Oh, there was a security vulnerability in Buzz, too.
  • Google added Buzz to their privacy dashboard but it should have been there from the start.
  • But Buzz has its uses - tips & more tips
• Data protection audits - the ICO will have more powers come April 2010 including auditing powers; they've issued for consultation a draft Code of Practice on Assessment Notices as to how they'd conduct audits. Out-Law report.
• Model contractual clauses for transfer of personal data outside the EU - recently modernised. Helpful for multi-national businesses especially for subcontracting & out-sourcing. See Out-Law.
• CV poaching - I didn't know this was going on:
  • "…it turns out that the candidate fell victim to resume poaching; someone grabbed their resume and submitted the candidate without the candidate’s knowledge… the recruiter could lose out on a potential fill, the candidate can be disqualified by the client for shopping around (a scorched earth response – rather than attempting to sort out what happened, the client disqualifies any resume submitted more than once), and the client is put on the spot to intervene in a process they should never have been involved with in the first place…. If you do post your resume, anonymize it – make the recruiter come to you. Avoid using your LinkedIn profile as a resume (believe it or not, with enough detail an unscrupulous recruiter will just make the resume for you. The key is to just summarize your experience)."

Other mobile / comms stuff

• BBC apps for iPhone planned, but objections come from the Newspaper Publishers Association and even (for different reasons) the Open Rights Group.
• Apple is still tightly controlling iPhone App Store, now getting rid of "overtly sexual" apps. A designer swimwear retailer complained about "Apple's sexual crusade" removing their shopping app:
  • "It seems like political correctness gone mad. It’s just women in bikinis, swimsuits and kaftans."
  • (And by the way YouTube are now policing nudity too..)
• Mobile apps generally - many global network operators, handset manufacturers and internet players have formed an alliance, the Wholesale Applications Community (WAC), to try to make mobile apps development easier and independent of user device or phone platform and "unite a fragmented marketplace". One way to fight back against Apple's App Store and its ilk..
• M-banking or mobile phone "wallets" (transfer of value by mobile) are popular and helpful in developing economies like Africa - however, US consumers don't seem to like the idea of "wallet phones"
• Skype's growing while international phone traffic is falling, but from a security viewpoint it seems large data files can be hidden almost undetectably in Skype VOIP calls. Presumably that's not the main driver for the increase in Skype's popularity!

Misc

• Future of the Internet - Pew's 4th report released, including whether Google really is making us stupid, is the internet killing reading, is anonymity dead?
• Domain names - ICANN study on Whois accuracy (not very), via Computing.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.