The “right to be forgotten” is not censorship.

Image used under Creative Commons by Sara Biljana

Enshrining the right to be forgotten  is a further step towards allowing individuals to take control of their own data, or even monetise it themselves, as we proposed in the 2020 white paper (Scenarios for the Future of Cybercrime).

The way the law stands in the EU currently, we have legal definitions for a data controller, a data processor and a data subject, an oddity which lands each of us in the bizarre situation where we are subjects of our own data rather being able to assert any notion of ownership over it. With data ownership comes the right to grant or deny access to that data and to be responsible for its accuracy and integrity.

Continue reading

Open(SSL) season for targeted attackers.

Image by permission from Andrew Mason

Image by permission from Andrew Mason

Heartbleed, the vulnerability which is the result of a coding error in the widely used OpenSSL encryption library has been hogging all the headline over the past few days, and rightly so, it represents a a huge risk to information security for consumers and businesses alike.

You could be forgiven though given the majority of the coverage, for believing that as long as you waited for affected websites to update and subsequently changed your passwords that you would be covered. Wrong, Heartbleed is more death by a thousand cuts than major cardio-vascular event. It’s certainly true that by far the most widespread immediate risk, certainly in terms of numbers of potentially impacted individuals, is in the exposure of sensitive information by vulnerable web servers, information that could include passwords and session cookies, but even once this initial wave of patching is done the residual risk will be enormous.

Continue reading

It’s not my birthday

Flickr image by andrewmalone used under Creative Commons

I arrived in the office this morning to find a slew of birthday greetings awaiting me, both on Skype and even in direct message form on Twitter, where I was told that my birthday was appearing in someone’s calendar and they had no idea why. For a second I was confused, until my other half told me of her moment of abject fear that she had forgotten my birthday when she logged into Skype, the the proverbial penny dropped.

Like the queen, I have two birthdays each year, my real one and my Skype birthday and there is a good reason for this. Skype decided long ago that certain parts of your Skype profile information should be publicly available and Microsoft have continued this tradition. The privacy settings of these data items are non-configurable, this data comprises your first and last names, gender, detailed location and date of birth which taken together easily constitute “Personally Identifiable Information” under whichever jurisdiction you care to mention.

Whilst is is not compulsory to enter your date of birth on Skype in order to operate an account you are certainly encouraged to do so, whether that be by the “Profile completeness” tips (you get and extra 10% for your birthday!) or the bald invitation to “Add your birthday”. However it is not made clear when you add this data that it will only ever have a privacy setting of “Public”. Once you discover this, no doubt you will want to remove your date of birth, but the interface seems designed to fool you into thinking that this is nether possible nor wise

Skype Date of Birth

“It’s a Security Thing”… It sure is!

Nonetheless it is entirely possible, and advisable to reset this information to read simply “Day”, “Month” & “Year” and to remove your birthdate from the public domain. Either that or elect to have a second alternate birthday, just like I did. I haven’t got any presents yet, but the attention on this Monday morning is lovely.

Of course your friends and people you trust need to know your birthday, otherwise how are you ever going to get the full set of Iron Maiden reissues as birthday presents (true story) but unfortunately information such as date of birth is still all too often used as important security information or qualifying information to apply for identity documents and should not be broadcast so widely. In the words of the New York State Police

“All an identity thief needs is any combination of your Social Security number, birth date, address, and phone number.”

We can argue the pure logic of their claim (“any combination?” surely not) but the fact remains any information given freely, particularly in context increases your risk of identity theft or fraud. If you think that enterprising online criminals are not really interested in this stuff, think again, as much as five years ago they were already referring to Facebook as a “Free DOB Lookup Service”, of course that got resolved but we all know that scammers actively solicit contacts on Skype already and accepting the connection request is all it takes to give away your personal information.

Criminal forum post from 2009

Criminal forum post from 2009

We live in an age where everything is increasingly connected to everything else; accounts, applications, APIs, credentials devices and personal details and more. The less you broadcast, the more you can begin the long process of reclaiming ownership over your own identity. A process which for most of us, is long overdue.