Tag Archives: privacy

vTech – ignorance is no defence (and neither are weasel words)

skeptic dog
This morning, Troy Hunt published a blog post alerting to a recent change in the Terms & Conditions published by children’s toy manufacturer vTech. The changes are truly astonishing, take a look at the Limitation of Liabilities clause for yourself.
You may remember that vTech were breached in November last year losing the personally identifiable information not only of adults (4.8M parents), but also 6.8M children.
What do you do as a response to this kind of disaster? Well apparently, you update your Terms & Conditions to include the egregious text (the red is mine)
7. 	Limitation of Liability

YOU ACKNOWLEDGE AND AGREE THAT YOU ASSUME FULL RESPONSIBILITY FOR YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES. YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM IS AT YOUR OWN RISK. RECOGNIZING SUCH, YOU UNDERSTAND AND AGREE THAT, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NEITHER VTECH NOR ITS SUPPLIERS, LICENSORS, PARENT, SUBSIDIARIES, AFFILIATES, DIRECTORS, OFFICERS, AGENTS, CO-BRANDERS, OTHER PARTNERS, OR EMPLOYEES WILL BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY OR OTHER DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER TANGIBLE OR INTANGIBLE LOSSES OR ANY OTHER DAMAGES OR LOSS BASED ON CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER THEORY (EVEN IF VTECH HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM THE SITE OR SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM; THE USE OR THE INABILITY TO USE THE SITE; UNAUTHORIZED ACCESS TO OR ALTERATION OR DESTRUCTION OR DELETION OF YOUR TRANSMISSIONS OR DATA OR DEVICE; STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON THE SITE; ANY ACTIONS WE TAKE OR FAIL TO TAKE AS A RESULT OF COMMUNICATIONS YOU SEND TO US; HUMAN ERRORS; TECHNICAL MALFUNCTIONS; FAILURES, INCLUDING PUBLIC UTILITY OR TELEPHONE OR INTERNET OUTAGES; OMISSIONS, INTERRUPTIONS, LATENCY, DELETIONS OR DEFECTS OF ANY DEVICE OR NETWORK, PROVIDERS, OR SOFTWARE; ANY INJURY OR DAMAGE TO COMPUTER EQUIPMENT; INABILITY TO FULLY ACCESS THE SITE OR ANY OTHER SITE; THEFT, TAMPERING, DESTRUCTION, OR UNAUTHORIZED ACCESS TO, OR ALTERATION OF, ENTRIES, IMAGES OR OTHER CONTENT OF ANY KIND; TYPOGRAPHICAL, PRINTING OR OTHER ERRORS, OR ANY COMBINATION THEREOF; OR ANY OTHER MATTER RELATING TO THE SITE OR THE SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, VTECH'S LIABILITY TO YOU FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO THE AMOUNT PAID, IF ANY, BY YOU TO PURCHASE A VTECH DEVICE OR SOFTWARE.

Some jurisdictions do not allow the exclusion of certain warranties or the limitation or exclusion of liability for incidental or consequential damages. Accordingly, some of the above limitations may not apply to you.
This  limitation of liabilities clause in their T&Cs is incredible! Here is a selection of words I would use to describe it; outrageous, unforgivable, ignorant, opportunistic, and indefensible.
The correct response to a breach of the scale that  vTech recently suffered, particularly in light of the ease with which it was achieved, is to learn from your mistakes, to improve security and security practices, and to apologise to the true victims of the breach; your customers.
vTech appear to have learned only that they have a legal liability to protect consumer data, sensitive data of children and parents, MY data and that and my own children in fact. And that a failure to fulfil that obligation may result in substantial costs to the business. As a (former) customer of vTech I can say with certainty that these new T&Cs have not been communicated to me.
With this clause vTech appear to be attempting to completely absolve themselves of responsibility when it comes to protecting customer data,. The only possible motivation for inclusion of a clause such as this could be to attempt to take advantage of their customer’s ignorance of the law, to attempt to brush aside consumer complaints in the event of a breach. This is not only morally unacceptable, it would also be struck down as a defence by any European court and in fact I would not be surprised if they were obliged to remove this clause from their T&Cs within the EU by national data protection agencies.
vTech, and every other entity that collects, stores or processes personally identifiable information has a legal obligation to protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. The more sensitive that data, the greater the duty of care and no amount of clauses in a T&C “agreement” will change that.
Would I advise consumers to avoid an organisation that attempts to take advantage of its customers goodwill and to absolve itself of its legal responsibilities with weasel words? Unequivocally, yes.

Where’s Wally? Tracking the president with GPS

Is the security of wearable technology really a big deal? Is the security of IoT devices really such a big deal? I mean, my fridge, my light bulb, my other cliché, what use are they to an attacker? Who really cares where I am, how fast my heart is beating or what my typical pace is over any given distance?

Maybe this photo of the President of the United States sporting his shiny new fitbit Surge gives you all the answer you need. The POTUS, wearing a fitbit, with GPS, being tracked 24/7, by a third party… See where I’m going?

The Internet of Things (IoT) and even more broadly, the Internet of Everything (IoE) are still nascent areas of technology where individual physical devices with embedded electronics, software and sensors are internet connected in order to provide greater value by exchanging data without the need for direct human intervention. This rapidly expanding arc of the information technology rainbow has attracted much attention recently from security researchers; with presentations at the high profile security events, breaking the security of home security systems, cars and many others.

Whilst this research is important in practical terms, hopefully driving some manufacturers to resolve the issues identified, it is also somewhat misdirected.

IoT devices themselves are almost invariably sold as a “black box” solution,; little to no user interface and no options for aftermarket security or tweaking. They are most often low memory, low storage, low processor-power devices designed primarily to harvest data and forward it on for the actual processing. And there’s the rub. The data is sent off-device, to the cloud, where it can be processed, mined, correlated and cross-referenced. Where it can be BIG data.

It is a simple matter for a security researcher to acquire a piece of interesting technology and begin to dissect it for vulnerabilities. Of course it takes skill to do so, but there are no significant barriers aside from that. You buy the kit and you break it.

It is a far more complex minefield to navigate if you set out to test the security of the back-end to those devices. In fact, more often than not it is illegal. To probe the security of someone else’s data centre without their permission, to break in and see what treasure is there for the taking, that ventures outside the realms of research and into the criminal, so the good guys don’t do it.

The bad guys, of course, don’t have to play by those rules, targeted attacks are their stock in trade, and data centres are fast becoming targets of choice. If the President of the USA is wearing technology x, then technology x’s back-end suddenly presents a juicy looking target for criminal or state-sponsored attack and they won’t be discerning about who else’s data they make available either.

Data in general is gold dust to attackers, the more of it one can accumulate, the more tailored, credible and successful one’s attacks can become. All too often devices destined to be connected and used online are designed and produced either by traditional organisations who have typically not had to pay attention to digital security during the manufacture and design process or by entrepreneurs who are too interested in getting their first product to market to be slowed down by some nagging security concern.

It is becoming a significant challenge to regulatory bodies and to governments to ensure that safety standards, which have previously focused on the physical risks of a product and its components, accurately and clearly identify digital risks and outline the minimum safety criteria.  Perhaps in the near future we can hope for a kind of digital kite-mark, offering at least some assurance that physical goods and their supporting infrastructure have been designed and built to a defined standard of digital security, that security was baked -in, not glossed over and that none of the small parts may cause choking. The need for this becomes ever more urgent as pretty much every £100+ good becomes connected in some way, in fact Gartner estimated in 2013 that by the year 2020 (have you watched our award-winning web series yet?) there will be more than 30 billion “connected devices”.

What you really accept when you use How-Old.net

 

ToU for How-Old.net

Microsoft had an apparently unexpected hit on their hands with the unveiling of the “How Old Do I Look?” service at the Microsoft Build conference last week. By the weekend my Facebook feed was filling up with friends from all over the globe sharing the results of their own submissions to the service. For the three of you that haven’t come across this viral hit recently, “How Old Do I Look” allows a user to upload a photo and will attempt to correctly guess the age of the subject of the picture, with the results ranging from the spectacularly awful to the incredibly accurate.

My vanity drove me to the website to upload a picture of my ageing mug. Before uploading though, unlike most users it would seem, I paused to read the Terms of Use linked from the landing page of the service. After being initially reassured by the clear and unambiguous “P.S. We don’t keep the photo”  right below the upload button, the ToU told a very different story…

From the “Materials Posted on this Website” section of the ToU (my own bolding):

“[…] by posting, uploading, inputting, providing, or submitting your Submission, you are granting Microsoft, its affiliated companies, and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, and reformat your Submission; to publish your name in connection with your Submission; and to sublicense such rights to any supplier of the Website Services

These are actually the standard ToU for Microsoft’s Azure cloud services, they are broadly similar to the ToU of many, many other online services. While I am not trying to insinuate that Microsoft have some sneaky photo-stealing agenda, these ToU do really serve to illustrate a couple of perennial problems in information security.

– The scale of customers’ unwillingness to inform themselves of what exactly they are agreeing to when making use of information technology.

These terms were not hidden away, they were clearly linked from the front page of the service, yet not one of the people I spoke to had bothered to click through. Perhaps we have been educated into apathy. Many companies are certainly guilty of producing reams and reams of agreements and terms that a customer could never reasonably be expected to digest (*cough*iTunes*cough*) but this was not an example of that. These Terms were relatively clear and concise and not overly long.

The cult of overasking.

It seems that the developers of the How Old service had no intention at any time of storing your images, or of “publishing your name in connection with your submission”, but instead of crafting a Terms of Use document specifically for their own service, potentially one that could have been far more brief, human-readable and accessible, they fell back on the default Microsoft Azure ToU.

These kinds of clauses help no one.  In most cases the motivation behind such a broad legal definition of rights is a technical one. The service provider needs to cover the processing, caching,  and publishing of user submitted data. They need to legally define the normal operation of their service. However, the legal eagles, in attempting to define that service, grant themselves such a broad swathe of rights, going on to qualify them with phrases such as “without limitation” that the end result is Orwellian in scope.

When the rights reserved by the operators of “How Old” are pointed out to the users of the service they are clearly concerned, often to the extent that they wish they had never used the service. This isn’t fear-mongering, this is a natural and understandable reaction to the feeling that a faceless corporation is “taking liberties” with their data or duping them with a “bait and switch” scam. “We don’t keep the photo (but we can if we want to)”.

These things must end. It is our own responsibility to keep ourselves informed of the content of agreements that we make. Whether that’s a pen and ink signature on an agreement of a digital click of acquiescence. We need to reject terms with which we are uncomfortable and push back on overly greedy legal documents.

At the same time, the legal officers, particularly of the global mega-vendors have a duty to become more tech-savvy. To be able to better define the technical rights necessary for the operation of a service accurately, without the need for land-grabbing phrases such as “without limitation”