Recursive censoring?

Most people will be familiar by now with the story regarding Leon Brittan and the paedophile dossier as well as Google censoring certain results after legal demands had been made (for more details on the story click here).

Now it seems things are getting a little stranger. Not only is Google apparently censoring results but pages are also disappearing from media organisations too. Virtually none of the mainstream press have covered this story but the one that has – The Daily Telegraph – appears to have decided to remove the article in question. Searching for ‘Leon Brittan PIE’ in google gets me this:

Capture

You’ll note that the second to last link refers to a Daily Telegraph article. Clicking on the link however just gives me a ‘missing page’ message from the Telegraph website. For those of you that are interested the URL that the hyperlink uses is this:

Clicky

So now it seems that the fact that the censoring is going on is now itself being censored.

The ICO: as useful as a chocolate teapot?

The ICO deals with two main areas of responsibility: dealing with appeals in regards to Freedom of Information requests and any issues connected with the Data Protection Act. Personally speaking I do have a degree of respect for the ICO when it comes to how they deal with matters pertaining to Freedom of Information. I might not always agree with their conclusions but it’s easy to see that some thought have normally gone into them. Data protection is, however, a different matter. Getting them to do anything seems to be up uphill struggle and often next to impossible. A good demonstration of this would be my recent complaint to them in regards to a form apparently set up on Tom Watson’s behalf.

Many of you will be aware of the plan for a free copy of the Sun to be delivered to each home in England – Liverpool excepted. A lot of you will also be aware of Labour MP Tom Watson’s idea that people should be given the opportunity to stop the free copy from being delivered to their house. For those of you not familiar with the story, you may want to visit the following site:

http://labourlist.org/2014/06/world-cup-blues/

So far so good. Personally I have no real problem with this. The questionable journalism shown in the immediate aftermath of Hillsborough deserves to be condemned. The demand to stop such free copies from being delivered was clearly there, and Tom Watson – or one of his friends – was able to provide a form that allowed people to send in their details. These details would then be forwarded to the Royal Mail. I had even initially visited the site with the intention of signing up myself.

However in doing all this Tom Watson also displayed a level of hypocrisy that I believe also deserves to be condemned.

He mentions the Printers Imprint Act 1961. This is an obscure law that most people would not even be aware of. He continues with how the law needs to be enforced and how a £50 fine ought to be paid for each copy of the Sun sent out that breaks this law. Unfortunately for Tom Watson however the form provided is completely unprotected. Data is also sent outside the EEA without any protection each time details are submitted. My personal view is that this goes against the Data Protection Act. The DPA is a more fundamental law than the one that Tom Watson used to attack those working at the Sun. If the Sun deserves to be punished for their actions then so does Tom Watson in my opinion.

The website set up for this purpose can be found here:

http://notothesun.nationbuilder.com

The form asks the user for their:

  • First name
  • Last name
  • Mobile number
  • Email address
  • Postal address

And then submits them in plain text with no protection whatsoever via a server located in a banana republic like Costa Rica courtesy of a US company outside the reach of UK regulators.

Over 7,000 people have apparently filled out this form.

I sent an email to the ICO inquiring about the legality of such a move. An abridged copy of their response follows:

Thank you for raising your concern with us about the collecting of personal data in connection with a campaign to stop the Sun newspaper from being delivered to individuals who do not want to receive it.

You say that the data capture form is not protected by SSL.

We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for. Reporting your concerns to us will help us to do that.

Our role is primarily to consider whether there is an opportunity to improve the practice of the organisations we regulate, not to investigate or provide a formal adjudication on individual concerns.

As you are aware, the seventh data protection principle says that appropriate technical and organisational measures shall be taken against unauthorised processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This means that organisations are under a duty to keep personal information secure. However, the DPA does not specify what action they should take. The DPA recognises that there is no ‘one size fits all’ approach to data security. It is therefore necessary for organisations to adopt a risk-based approach to the level of security required in any particular circumstances. The measures an organisation takes should be appropriate to the nature of the personal data and the harm that could result from a security breach.

The personal data in this case is not ‘sensitive’ in terms of the DPA definition. Neither is it particularly confidential. It does not, for example, include any details of bank accounts or credit card numbers. It is made quite clear what purpose the individual is providing their personal data for and what will happen to it. There is no indication that individuals are being misled in any way about what they are consenting to when they provide their personal data and it is entirely their choice to provide their personal data or not. Nevertheless, any security breach would cause inconvenience at the very least.

It is not entirely clear that Mr Watson is the data controller in this case but in view of the fact that his name appears in connection with the campaign, we will write to him to provide advice about compliance with the seventh principle.

In relation to your concerns about CloudFlare, as this appears to be a US-based company, it is outside the Information Commissioner’s jurisdiction.

We will not be taking any further action in relation to the specific points you raise at this time. However, we will retain details of these matters, to inform our overall view of current internet issues.

I also asked the ICO for their view of exporting data to the US or within the US sphere of influence given recent stories (not just the PATRIOT Act, but also FISAAA as well as the appearance of the complete lack of rights for non-Americans).

They have steadfastly refused to address this question. In addition they appear to have deliberated avoided dealing with the issue of exporting data outside the EEA by making it sound like the company is responsible for the export of data, rather the the person or persons setting up the form and choosing them as the provider. Cloudflare, the service provider that underpins the website in question, has offices in the UK. The website itself lists other UK organisations as users, but the ICO appears to have made zero effort to find out who was responsible for creating the form.

As for not being sensitive, personally I would suggest that somebody at the ICO read this:

http://blog.spiderlabs.com/2014/06/from-a-username-to-full-account-takeover.html

It would appear that I’m not the only one to notice the toothless nature of the ICO.

“One of the problems we have got as a community is that if you don’t fine people then they don’t do stuff.”

Martin Sugden, chief executive of security firm Boldon James, takes a dim view of his industry.

A veteran of the security industry, he believes the UK’s Information Commissioner’s Office (ICO) has been lax in punishing those who flout the data protection rules and are failing to deter bad behaviour.

Trawl through the security archive of CBR over the last few months and you would have to agree IT has a security problem.

[…]

He believes the office is not as investigative as it should be, and subsequently is “slow to affect things”.

http://www.cbronline.com/news/security/is-the-information-commissioner-doing-enough-to-protect-your-data-4311103

In my case ‘not as investigative as it should be’ would appear to be the same as ‘no investigation whatsoever’. It’s a real shame that we seem to have an ‘independent’ regulator that seems to be more concerned with the impact on the economy amongst other things than actually doing their job.

A lack of control over access to the French electoral lists?

Those who know me will know that I currently have French citizenship and as such am registered with the French consulate in London. The registration process involved providing certain personal details, including an email address. Since this didn’t seem unusual in any way I was quite content to provide one.

It would seem that control over who can access the electoral list held by the consulate is rather lax and as a result I had to put up with rather high levels of spam prior to the last election. Whilst this was frustrating it was at least understandable since part of the reason of the list in the first place is to facilitate communication between the candidates and those that can vote for them.

More worryingly however it would appear that access to these lists has been granted for other purposes unrelated to the electoral functions that the lists are supposed to facilitate. I started recently getting spam emails being sent to me advertising the existence of a new web based TV station aimed at French citizens living in the UK: angleterre21.tv.

It should be noted at this point that the email address I provided to the consulate is only an alias and was only ever provided to the consulate. Combine this with the specific intended audience of the email – French citizens in the UK – and it’s rather easy to come to the conclusion that the organisation behind angleterre21.tv was provided with my address by the French government.

I emailed the ICO in the UK about this as I’m also British, but they told me that since this involved the French consulate that it would have to be dealt with by the French authorities. To be fair this is what I expected but unfortunately the CNIL – the ICO’s French counterpart – make it surprisingly difficult for anybody abroad to contact them online. They don’t even provide an email address, which is in itself incomprehensible given the potential for French systems and laws to impact on their citizens living elsewhere around the world.

A telephone number or postal address is simply insufficient in such cases. Given the amount of time people tend to spend on hold would anybody want the astronomical phone bill that could result from an international phone call to the CNIL? In any case the ICO were kind enough to forward my concerns directly to the CNIL, so hopefully they’ll not only get my email but also act upon it.

While they’re doing that they could perhaps also look at some of my other concerns, one of which is why the French government is allowing personal information to be exported to a 3rd country with little or no rights to privacy for foreigners and no permission from the people concerned?

The website is hosted in the US. The owner, if his LinkedIn profile is to be believed, currently appears to live in the US and the bulk email service used is also located in the US. French authorities are happy, however, to see personal details entrusted to them sent to that country despite the continued lack of any privacy for French citizens there.

Why?

One law for the police, and one for everybody else?

Apparently a PCSO has been found guilty of illegally accessing police databases (the original article seems to have conveniently been removed).

This illegal access occurred over 5 years (which raises the question of why it took so long to catch her), but more importantly happened on 900 separate occasions. In addition she was only fined £500 rather than being handed a prison sentence. Apparently since she did not had the data onto 3rd parties she was not charged with a more serious offense.

A few points come to mind as a result of this:

  • £500 for 900 offenses. That equates to only a 56p fine for each offense. This soft of level of punishment is clearly insufficient.
  • The government appeals lenient sentences in other cases, but rarely if ever appear to do so when it involves the police. Previous emails sent to my MP seems to suggest that the government think that blanket support should be given to the police as they do a difficult job. This may well be the case, but all this attitude achieves is the perpetuation of corruption (institutional corruption?) that gets increasingly worse over time because of the refusal to deal with it.
  • How can it be proven in this case that the data was not handed onto 3rd parties? Even her own solicitor mentions the PCSO’s own ‘dire financial’ circumstances as part of her defense in the original article, and it’s difficult to see why they would do so if the purpose of the data gathering wasn’t financial gain.
  • Why the differentiation in sentencing? Why does it matter whether it was shared or not? Access was illegal, and given the difficulty in really proving that the data was never supplied to 3rd parties surely there should be no difference between the two crimes?
  • And a last point: why was this PCSO allowed access in the first place? Or are they increasingly taking the place of ‘normal’ officers to the point that this access is needed for their job?

I can understand being lenient if the situation isn’t clear; nobody expects either police officers or PCSOs to be 1st class lawyers after all. However the lenient sentencing in cases where there has been a clear cut abuse of access really is impossible to comprehend, at least in terms other than there being one law for them and one for the rest of us.

Allowing people to pay a pittance each time they commit a crime can only encourage the same crime to be committed time and time again. The police need to be whiter than white, not merely the rather dirty and grubby grey that they only seem to manage at the moment.

I emailed my MP (Chris Grayling) to ask him why this situation was allowed to continue (he also happens to be the current justice secretary so I assumed he would be interested in this type of matter). His response was rather brief:

Sentencing is always a matter for the Courts, but there are tough penalties available to Judges handling individual cases if they consider them appropriate in the light of the evidence presented to them.

Which doesn’t say why 1) tough sentences are rarely if ever applied when the police are involved and 2) why the government allows this situation to continue. Tough sentencing may be available to judges but they have to follow sentencing guidelines and laws as laid down by parliament. It seems odd that more isn’t done about this when the government has previously complained about judicial activism at the EU level and has shown a certain willingness to appeal against lenient sentences when it involves members of the public.

Why bother with PCCs?

By now most people will be familiar with the corruption that goes on within the police, as well as the inability to take account of the needs of the general public in regards to how the police deal with different types of crimes. PCCs – or police and crime commissioners – were introduced to try and rectify this problem and encourage the police to take account of the wishes of the public.

One might expect the PCC to be broadly supportive of the general public and to make an effort to hold the police to account. This is unfortunately not the case if recent events are anything to go by.

One of the regular posters at NoDPI.org recently attended a meeting that allowed the general public to ask the chief constable questions. The PCC was also there. A brief transcript of what transpired can be found here, and a number of quotes are included below.

Safe to say things did not go well. It seemed fairly clear at the outset that things were going to be difficult.

Sue Mountstevens quickly interrupted me, and urged me to be brief.

This line from the article is revealing, since the PCC seems more interested in making life easier for the chief constable rather than making sure he answer the questions put to him.

But what happened next was more disappointing. Far from offering an account, Nick Gargan simply laughed at me. He laughed in my face.

This fundamental lack of respect for a member of the general public is rather revealing, as is the PCC’s apparent complete failure to stop him from showing such contempt to somebody simply asking him a question. Again apparently nothing was done on her part to correct matters.

He quickly composed himself, but then tried to assert that intercepting communications was ‘not a crime’.

Let me repeat that: intercepting communications is not a crime in the chief constable’s opinion. This was rather a surprise given the number of journalists that have already been arrested for such offenses. Perhaps Nick Gargan should have a word with Brooks and Coulson? In any case there was more: the home secretary responded to my questions with the following quote (emphasis added by me):

The Regulation of Investigatory Powers Act 2000 (RIPA) includes offences of unlawful interception – i.e. interception without a warrant or other lawful authority. A person who is found guilty of unlawful interception is liable to imprisonment for a term not exceeding two years or to a fine, or to both.

RIPA also contains a power for the Interception of Communications Commissioner to serve a monetary penalty notice on a person whom he considers has intercepted a communication without lawful authority. Mr Seurre asks whether whether companies are subject to RIPA. Individuals and companies can be prosecuted under the unlawful interception provisions. In the event that an offence has been committed by a private company, an officer of that company may be subject to the sanctions set out above.

If Mr Seurre believes that oan offense has been committed, he should report this to the police. Alternatively he can contact the Interception of Communications Commissioners office at the following email address: info@iocco-uk.info

‘He should report this to the police’. What exactly would be the point of doing this if the police routinely ignore such reports? Surely any effort to do so would be an exercise in futility? Given recent stories about police and statistics I can only assume that this failure to recognise interception of communications as a crime is yet another effort to try and fiddle the numbers.

More worryingly however is the appearance of failure of the PCC to do anything in regards to the chief constable’s unacceptable behaviour and incorrect conclusions. As a result I sent her an email basically asking her why she thought such behaviour was acceptable and what she intended to do to try and mitigate the lack of knowledge within the police force, and also included the advice sent to me from the home office. Her reaction was rather disheartening:

I spoke to your friend and also replied to his email in November 2013, to address his concerns and he may well have already shared this with you directly. Your friend is aware that the Chief Constable gave his response to each person who raised a question and this was also heard by all the audience.

You are very welcome to attend any of the public forums to get a first-hand account of the Constabulary’s response and also my own replies. If you ask a question and then feel that the person who replies acts in a way that brings the Constabulary into disrepute or their conduct is below the professional standards expected then you can make a complaint. If an apology is due then I am keen that it is given as soon as possible and any poor conduct is rectified to improve the quality of service going forward.

If you are unable to attend a Public Forum but still wish to hear and see the event then you may prefer to listen and watch online via the web-stream. Please refer to my website (as below) for more details of my calendar and future events.

No admission – or denial – that he behaved inappropriately. No admission that the chief constable got things wrong or any indication that any measures will be taken to correct matters. Nothing useful at all in fact.

Perhaps it’s because the PCC is responsible for hiring the chief constable, but in my opinion she seems to be more interested in protecting him instead of encouraging him to do this job. At this point it’s difficult to see PCCs as anything more than highly paid PR sock puppets for the police. They certainly don’t seem to be interested in holding the police to account, and personally speaking I find it extremely difficult to see how they serve any useful purpose.

Just why should we be paying for PCCs? What purpose do they serve?

Who regulates the filtering?

The subject of filtering internet connections by default ‘for the children’ has repeatedly come up over recent months. Like many people I was concerned at the possibility for censorship and abuse. Together with many others I emailed my MP to ask about the filtering (using the extremely convenient writetothem.com website), and my MP was kind enough to forward me a copy of the response that he had received from the DCMS. A copy of that response can be found here.

It would appear that the response consists of… nothing. When you strip out all the meaningless double speak there is nothing left. They acknowledge that respecting rights is a problem yet give no details whatsoever on how those rights will be respected.

This sort of attitude isn’t just a problem for the person sat at their PC trying to access online services. When people think of using the internet they tend to only think of the end user. The end user, however, is only part of the equation. They would have nothing to use if it wasn’t for the people that actually own and run the websites. Those website owners have as much a right to privacy, freedom of expression and freedom of association as anybody else. These are rights guaranteed in the ECHR (see articles 8, 10 and 11) and yet the blunt approach that filtering represents appears to completely ignore these rights. I am not a lawyer, but I’d nevertheless also be curious to know how the lack of any formal appeals procedure to stop incorrectly applied censorship could possibly ever comply with article 13 of the convention.

It’s pretty much guaranteed that even with the best of intentions errors will creep in. We already have the clumsy use of existing laws to block access to such dens of depravity as the Radio Times, not to mention political blogs being blocked by the filtering implemented by mobile companies. The problem of incorrectly applied filtering is already so prevalent that entire organisations exist with the sole aim of dealing with this issue.

It’s already clear that without some form of rigorous oversight that not only will mistakes will be made, but that many of them will be entirely avoidable. People will be filtered out of existence completely unnecessarily when it comes to the British corner of the internet, and even more worryingly will have limited options when it comes to clearing up the mess that should never have happened in the first place.

Take TalkTalk’s approach for example: their ‘notice for website owners‘ consists of the following:

If you have a website and believe it is being blocked incorrectly by HomeSafe™ then please email homesafe.classification@talktalkplc.com, stating as a minimum your responsibility for the website (e.g. you may be the administrator, the site owner, or owner of the business advertised), the full name of the domain or url being blocked, and the category you believe it is being blocked under (e.g. Dating). This feedback will be reviewed by TalkTalk and changes may be made to HomeSafe™ as a result. However, TalkTalk will not reply to these requests nor enter into correspondence.

In other words: we won’t tell you when we filter your site. We won’t talk to you about what has happened or why. You don’t really have any rights to demand anything and tough luck if we decide you stay on the list …Oh, and by the way we want you to comply with these impossible demands too.

After all, if a site has been incorrectly filtered, how on earth are the webmasters supposed to state – ‘as a minimum’ – the category that they believe it has been applied to their website?

I was curious about who was actually responsible for regulating these systems. Cameron’s speech back in July appeared to suggest that OFCOM would be responsible for overseeing this scheme. I duly emailed OFCOM with the following questions:

  1. What right will website owners have to be notified that their website has been filtered?
  2. What sort of right to reply can website operators expect prior to filtering?
  3. What sort of right to compensation can website owners expect when their site has been incorrectly filtered?
  4. What minimum standards will be enforced to ensure that website owners can get their site unfiltered?
  5. In regards to such minimum standards, how long would be the maximum time that an ISP would be expected to deal with any complaint?
  6. What sanctions will ISPs face for incorrectly filtering a site?
  7. Finally what appeals process will exist if an ISP refuses to remove a page?

This was the reply received:

Ofcom has no general role in overseeing the use of network level filters by ISPs. We are in discussions with the Government with a view to undertaking research into the awareness that parents have of the broad range of measures that are available for the purpose of improving the safety of their children when online.  This would include non-technical as well as technical approaches.  We would also be looking at the confidence that parents have in using such measures.  We are discussing with the Government how we might report on the progress being made by the four main ISPs against the voluntary commitments they gave to the Government, which were widely reported in the media.

The specific questions you ask in your email relate to the operation of the filtering systems by the ISPs and as such are best addressed by those ISPs that are deploying them.

So who is responsible for overseeing the use of network filters? Are ISPs really going to be left to do as they see fit with nobody there to make sure they don’t at least try to avoid mistakes?

One other thing with this reply that ought to be noteworthy is the complete lack of any mention of webmasters and how their rights will be considered in all of this, which is odd considering how many livelihoods depend on web based businesses these days, not to mention the large chunk of people’s lives that are conducted online. The last sentence in the reply is also the cause of concern, since it implies that ISPs will be left to regulate themselves. We know from the disaster caused by the banking industry that self-regulation can often end up being a complete train wreck.

In any case the reply seemed to be at odds with the speech, since the speech included this:

That’s why I am asking today for the small companies in the market to adopt this approach too and why I’m asking OFCOM, the industry regulator, to oversee this work, judge how well the ISPs are doing and report back regularly.

I thought maybe that perhaps somebody somewhere had made a mistake, so I asked them again. I got a very similar reply.

So it seems that there will be no meaningful oversight of the filtering. This is the same filtering that was only every proposed because of bullying by the government and their threat of legislation. The government apparently won’t be introducing any checks or balances to make sure that these systems are run responsibly, even though the government is directly responsible for the existence of the filtering through their own actions.

I don’t accept that filtering is a good way to deal with keeping children safe. If we believe something is unsafe or inappropriate for a child to have then we should stop them from having it. We shouldn’t break the system in an attempt to accommodate the children. Parental responsibility rarely seems to get a mention. It should be up to them to decide what their children should and should not be using. They shouldn’t be leaving the job of parenting to mechanisms that can never work properly.

Trying to apply filtering to a family members of different ages and expecting it to work properly is madness. Doing the same to an entire country is sheer insanity.

People never seem to ask just why their children are using certain items. Take smartphones for example: just why are children allowed to use them? They don’t need internet access or cameras to stay in touch with parents, and yet the general public is being told they have to give up their privacy so that a false sense of security can be given to parents. Anybody who thinks sufficient restrictions can be placed on items such as ipads to prevent access to inappropriate material might also want to read this before supporting the idea of replacing real parenting with questionable technical measures. They might also want to consider the fact that a large chunk of such material is created by the children themselves. In such cases filtering is completely pointless since it can’t stop photos being sent from one child to another.

It may also be worth noting that whilst some may regard much of what’s blocked to be distasteful it’s still entirely legal. ISPs have no legal right to inspect legal communications, much less interfere or block them, without consent from the sender as well as the recipient. The sender in this case would be the website owner.

That said, if others insist on implementing such an ineffective method of child protection, then they really ought to at least make sure that the needs of others are taken into account. If the ability of webmasters to communicate with the outside world is going to be interfered with then it ought to be properly controlled, and not just done on a whim.

A Snooper’s Charter

Most people by now will be aware of the Communications Capabilities Development Programme, A.K.A CCDP. Despite denials to the contrary this would appear to represent an expansion of the state and their powers to spy on us. The presumption of innocence disappears and we’re all treated as suspects.

What’s even more worrying however are the lies being told to Lib Dem MPs in order to get them to support these measures. One begins to wonder what lies have been told to conservative MPs in order to get them to behave and toe the party line. In addition to this we have policemen apparently conspiring with the media to spy on people, and SOCA getting involved in enforcing law for offenses that are not serious, organised nor criminal (copyright offenses come under civil rather than criminal law).

I would strongly urge people to sign this Number 10 petition and write to their MPs to voice their opposition to CCDP. This can be done by simply visiting the WriteToThem website and entering your post code. The details of your MP will then be shown and you will then be presented with the chance to fill out a form to send an email directly to them.

Some questions to consider asking:

  • How can making the police’s work impossible by encouraging people to encrypt *all* personal web usage be good for law enforcement?
  • They had one of the 7/7 bombers under surveillance *before* the bombing but had to stop watching him thanks to lack of resources. Isn’t data overload a bigger problem than insufficient access and won’t this sort of measure make things even worse?
  • How can we trust the authorities to act responsibly when they are already acting either outside of their remit or in a way that can only be described as corrupt?
  • Why is the ability to resist demands for information being removed when in the case of Google, almost 40% of demands are turned down and shown to be unnecessary or just plain wrong?
  • Who will have access to this information and when will they be able to use it?
  • Whose authority will be required to grant access to this information?
  • Under what circumstances would access be denied?
  • How much access will the ISP or their commercial partners have to personal data gathered for law enforcement purposes?
  • What will the ISPs or their commercial partners be allowed to do with it?
  • Who will pay for the extra hardware and expertise needed by the ISPs to comply with these new demands?
  • How would they counter the suggestion that this system will be ultimately damaging to the UK economy by discouraging tech companies to base themselves in the UK?
  • How can this system be realistically run without the cooperation of the US government when many of the systems used here are based in the US?
  • Is your MP certain that they have accurate information and not the same sort of warped assessment intended to ellicit a specific response that was sent to Lib Dem MPs?

UK mobile operator Three illegally intercepting and sharing traffic

I was recently lucky enough to be given a new phone, and also got a 3 PAYG SIM to use with the device. Shortly after starting to use the service however I noticed that my connection was being filtered and my attempts to establish VPN connections seemed to fail. It would appear from the brief explanation that I got from Three that this was being done to filter out adult content as they could not be certain of the age of customers on PAYG connections without further verification. To make matters worse however the page that showed the block advertised – yes, you guessed it – porn.

This is something that all mobile phone operators in the UK seem to do. For them the excuse ‘for the children’ seems to excuse any illegal behaviour that takes place as a result of this filtering. It’s a view that completely ignores the fact that sooner or later children will gain access to that sort of material. Furthermore a lot of the material actually originates from the children themselves (google the term ‘sexting’ to see what I mean). This user generated material will never be caught by the filter.

Hey Three, here’s an idea: if protecting children from smut on mobiles is so important then don’t sell them the handsets to start with!

Doing anything else is little better than paying lip service to the issue and done at the expense of the privacy of others.

Further investigation

One other mobile operator in particular already uses services provided by a US company called Bluecoat to filter traffic, so I was curious to see if the same was happening with Three. I tried visiting a custom page produced by somebody with an interest in privacy that had been designed to expose entries in the web server’s access log. Sure enough there was a couple of entries that were of particular interest:

Date/Time: 2011-11-30 17:35:56 (GMT)
Remote Address: 92.40.255.4
Remote Host: 92.40.255.4.threembb.co.uk
User Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-gb; GT-N7000
Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
Safari/533.1
Request URI: /stalker/[ID removed]/index.php?personal_guid=[ID removed]
Query String: personal_guid=[ID removed]
Referer Site:
Date/Time: 2011-11-30 17:35:56 (GMT)
Remote Address: 199.19.249.196
Remote Host: 199.19.249.196
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; MS-RTC LM 8; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Request URI: /stalker/[ID removed]/index.php?personal_guid=[ID removed]
Query String: personal_guid=[ID removed]
Referer Site:

 

The first IP address is owned by Three. The second IP address is owned by Bluecoat. More information on the IP address can be found here:

http://www.robtex.com/ip/199.19.249.196.html?tab=whois

The IDs in the log entries above have been removed by me, but they have identical values in all 6 cases. What would appear to be happening is that Three are sharing the requests I’m making to websites with Bluecoat. Bluecoat then visit the same site using the same credentials as me.

In addition I have also been visited by another Bluecoat IP address: 8.28.16.254.

This method of duplicating visits is sometimes referred to as a replay attack. This not just illegal, it can cause serious problems with the operation of websites too. Imagine for example the situation where visiting a given URL confirms payment for an item. If you were to visit the site through a Three connection then the payment could end up going through twice thanks to this unwanted extra visit.

This is the surprising part though: I tried complaining publically through Twitter and Three’s own blog as they seemed to be taking their time responding to emails. One of the moderators actually replied with the following:

Admission by 3 that they use Bluecoat

That particular response can be found here:

http://blog.three.co.uk/2011/11/21/data-data-everywhere/comment-page-1/

They seem to be quite happy to admit that they use Bluecoat. There is one glaring problem with their excuse of filtering for content listed by the IWF: if you go to the IWF website then you’ll see that Three are listed as one of the recipients of the IWF list. Why then send details of our online activities half way around the world to check against a list that they already have access to?

I tried to get more details from Three as to how they could possibly believe that what they were doing was legal. The best I could get from them was this:

Hi Patrick

Thank you for your emails.

Three’s policy with regards to filtering is intended to ensure that children are protected from inappropriate content when using the internet on their phones.  This is why we require our Pay As You Go customers to prove they are 18 before they can access sites that Three considers to be inappropriate for under 18s and/or which are classified as inappropriate by the IWF.  This is not about intercepting customer communications but is about the safety of children who use our network.

We do not accept your allegations that Three’s policy in this regard breaches any of the laws that you have mentioned in your correspondence. However, if you maintain your position that Three is in breach of RIPA, the DPA, the PECRs and/or the Computer Misuse Act, then you are at liberty to take this matter up with the police and/or the ICO, and we will fully cooperate with any investigations that they may wish to instigate.  Similarly, we note your comments regarding the SABAM/Scarlet case, but do not believe that we’re required to change our policy in light of this case.

With regards to your concerns about Bluecoat, I recommend that you take the matter up directly with Bluecoat.

I hope this clarifies our final position regarding this matter.

Regards

Nicki Macleod
Social Media Advisor – Executive Office

 

Observant readers will also notice how three have repeatedly tried to use the old excuse for breaking the law: ‘it’s for the children’. They appear to be trying to scare people into not complaining by raising the spectre of paedophilia.

This just isn’t good enough.

Three have decided to sell their phones to minors both through resellers and their own shops. It’s up to Three to find an acceptable solution without trampling over the rights of the entire general public to private communications. This is after all a problem that Three themselves have created by selling devices to children that are unsuitable for those children to use. It’s probably also worth pointing out at this stage that children are generating a lot of this unsuitable material themselves through so-called sexting, often as a result of bullying. No filter can ever stop this.

Stopping the sale of such devices to minors can, however, seriously limit this type of bullying and indecent exposure.

There is no age limit within RIPA, the DPA or the CMA. Everybody has the same rights to private communications. Even children. If Three were really committed to protecting children then they would stop any sale of their devices to minors, only allow them to be sold to adults and make the adult buying the phone make the decision as to whether filtering is required. The fact that they care so much about maximising profits at the expense of the privacy of their customers shows where their priorities really lie.

Back to Three and their use of Bluecoat’s systems: I asked Three why they were wasting money on Bluecoat’s services when any webmaster worth his salt knows how to tailor the response from the server based on the IP address of the PC making the request. They could produce a page full of innocent images for Bluecoat when they come calling, but save all the unsavoury material for the ‘real’ visitor. There is also the certainty that the service would not be of any use when SSL is used. I can’t emphasise this enough: if the site is protected by the use of SSL then Bluecoat’s services are rendered useless. The same page used to get the log entries included in this article doesn’t show any shadow visits from Bluecoat when the page is protected in this way.

The system as a whole is ineffective as a security measure.

It would also appear to be completely unnecessary given that other operators – notably Orange – don’t appear to need to share traffic in this way in order to filter it. This is the first time I’ve seen this excuse: ‘Bluecoat made us do it’. It really does beggar belief and does nothing to encourage people to believe that any filter is capable of doing it’s job satisfactorily. Anybody wanting an example of how badly filters can fail should look into TalkTalk’s HomeSafe product and how it failed to block access to one of the biggest porn sites on the internet.

I wonder if Three realise that anything sent to the US can always be accessed by the US government thanks to the PATRIOT act, with Three not even being notified that a request has been made, much less complied with? Don’t they see that allowing this sort of eavesdropping increases the chance of industrial espionage? US companies could quite easily end up having access to confidential information obtained through illegal means. The potential for losing confidential information or giving away intellectual property is huge.

Three are intercepting my requests without prior authorisation from both the sender and recipient parties to the communication. That’s illegal under the Regulation of Investigatory Powers Act. They’re sharing my information without consent with a 3rd party overseas and that is completely outside the reach of the regulators here. That goes against the Data Protection Act. They are interfering with the operation of a computer. That’s illegal under the Computer Misuse Act.

I suppose now I had better get that complaint to the police sorted out as I have no intention of putting up with this illegal interception and sharing of my personal communications.

UPDATE:

I’d like to welcome users from the British government accessing this website and others from the EU commission whose visits have been popping up in the server’s access log over the last few months.

It is interesting however that despite the wealth of evidence showing the abuse of personal data by companies in the private sector that pretty much nothing appears to be done about it. BT, TalkTalk, Vodafone, Three, the media  – the list goes on and on.

I hope somebody from the ICO is reading this because I’m sure I’m not the only one who would like an explanation as to why no substantial action has been taken over past transgressions when they involve the private sector.

Almost 100 times longer than the average

According to statistics the CPS currently takes an average of 8.6 days to come to a decision as to whether to prosecute. The CPS has had a case open on Phorm for 848 days now. If it takes much longer they will have taken as long as they would have on one hundred other cases. Of course the CPS claim that there has been no political interference, but this is very difficult to believe when these sorts of delays are involved.

And don’t expect an answer any time soon. They had previously promised to come to a decision by the end of last year, but at the last minute decided that this was no longer going to be the case.

No political interference? After 848 days spent doing virtually nothing? Do they honestly expect us to believe that?

Trying to have their cake and eat it

Senior judges are to review the Digital Economy Act following a complaint from BT and TalkTalk that it was rushed through Parliament before the election.

[…]

In particular, they claim measures in the new legislation designed to reduce copyright infringement via filesharing networks violate European rules including those on privacy and an ISP’s role as “mere conduit”.

[…]

The Register article

The hypocrisy here is simply astounding. On one hand they want to be treated as ‘mere conduits’, yet on the other they want to be able to ‘monetise’ their customers (gods I hate that term) by spying on their web traffic so that they can be served with targeted advertising. BT have Phorm, TalkTalk have Huawei and Virgin Media have CView.

They don’t deserve to be treated as mere conduits when they behave in such a deplorable way towards their customers.

Has anybody also noticed that big business always seem to get more attention than the general public? The privacy of tens of thousands of BT customers gets sacrificed to help BT’s bottom line. The ICO reaction to that? Nothing. The police’s reaction to that? Indifference. The home office’s reaction to Phorm? They tried to make sure that Phorm were ‘comforted’ by the advice they were giving out, rather than do their job.

Yet when the poor ISPs face losing being forced to hand over details and interfere with the service they provide they quickly manage to get a judicial review of the law.