Information security, and how not to do it

On the 21st of this month, I received an email from a company*, advertising their upcoming online seminar, and various other online courses they ran, including ones on the Data Protection Act, and information security.
Since I wasn’t interested in their courses, and didn’t remember signing up to receive any marketing materials from this company,  I clicked on the unsubscribe link. However, when the unsubscribe page opened, the name and email fields were already completed…and none of the information was mine.
In fact, the email address was for a Junior School in Portsmouth (edited version below).

This is not great, in terms of information security…you know, that thing they’re running online courses on?
So, I replied to them within an hour, pointing out that the information in those fields was not mine, and they might want to do something about that.
To date, I’ve not received an acknowledgement of my email, or any form of response.
I was also not alone in receiving this email, and finding someone elses information in the form when following the unsubscribe link.

However, in the days since, the form the link leads to has changed….well, to be specific, the information viewable in the form has changed. Yes, it’s gone from being the contact details of the school in Portsmouth, to the address of a private school yesterday, and today, one for a university. The first two times, the emails were admin addresses, but the university address is the work email of an individual, with their proper name in it (instead of, as above “No” and “Thanks” being the name).

Now, mistakes happen, and making a link to a form that shows the details of the last person who’s used it was probably an accident. But this is not how you deal with it.

What would I have done if this had been my mistake?

  • When I got the email pointing it out, I would have responded to the person contacting me, apologising for the issue, and thanking them for bringing it to my attention
  • I would have deactivated the link immediately
  • I would have got whatever glitch it is that’s preserving the last page user information fixed
  • Once that was done, I would have emailed everyone that had received the previous email, apologising for the issue, and telling them that the unsubscribe link was now secure and anonymous
This company has done none of that. Allowing anyone to view names and email addresses of strangers is not as serious as sharing work or home addresses, or more sensitive personal information, but this is a company which is running a business specifically selling training on data protection, and information security. Hands up who’d feel confident about using their training, if this is how they put it into practice?
*I have not named the company here, but contact me directly if you would like to know who it is.

No (Form)spring in this step

Yes, I’m the type of gal who likes to mess about and try new tools and sites. So, nine months ago, Formspring seemed like an amusing timewasting tool – people can ask you questions, either putting their name to them (usually a Twitter name), or anonymously. You then can answer them, and post the responses in your Formspring stream, either for the world to see, or only to your followers (I’m not sure if this was originally an option). You can also follow other people, and ask them questions too, so it can be quite interactive.

Yes, I know it was and still is attracting bad publicity for the fact that school kids use it to bully each other, but school kids can and will use anything to bully each other, from verbal abuse, notes written and passed around, text messages, or messages on various popular sites that over time have moved from MySpace, to Bebo, to Facebook and Twitter. Just because some people misuse it, doesn’t mean a tool is inherently bad. And as an adult, if I didn’t like any questions I received, I could either delete and not answer them, or publish them with a good putdown response.
So, I had fun: I was asked a lot of questions, and in the process actually had to think quite deeply about some things: in daily life you’re not often asked about your aspirations, dreams, or fears, so I learned a bit about myself. I also laughed myself silly at some of the questions, and had great fun thinking up suitably silly responses.
But, after a few months, I got bored. I abandoned the account about six months ago, and recently decided it was time to shut it down – why have that info floating about freely out in the world if I’m not actively using that service? So, I went to close the account.
But no, you can’t shut your account, you can only disable it. Huh? But…erm…I want it gone, and everything on it: there’s no sensitive info in my responses, but it is my choice whether that info stays posted, or not.
Ok, no delete account option? Right – lets delete those questions and answers: surely there must be a “delete all” option? No.
Oh.
Cue me spending a good chunk of time deleting individually (with a pop-up “are you sure?” box for every one) three hundred and eighteen entries. Six hundred and thirty six clicks to delete. Not counting the page refresh every time the page of entries was done, to reload more to delete.
Ok, so they were all gone, yes?
No.
When I deleted the entries, the questions were regarded as unanswered, and went back into my inbox, waiting for me to answer. As the questions themselves still sometimes contained potentially identifiable info about me, I wanted them gone too. Now, this was marginally better: at least the questions could be deleted in chunks of twenty five at a time. So only thirteen clicks to get rid of them. Plus page reloads.
*sigh*
Right, anything else I can do to remove “me” from this site, since they won’t get rid of the account?
OK, the profile picture – I can remove that, yes?
No. There’s no option NOT to have a picture, just to replace a picture. Hmmmm. Right, so I’ve now replaced that with a picture of something else random, but the option to not have a picture at all would have been far better.
What else? Oh look – I can effectively “protect” the account, so anyone who’s currently subscribed to see what I post, and be alerted when I answer a new question is removed, and have to request to “refollow” me. Much like Twitter – a better way of controlling who sees the material you’re posting. Ok, so the account I want to kill is now protected.
Now, after doing all this, clearing everything out that I can and making what’s left as inaccessible as possible, I’ll disable it. And look, there’s an option when disabling it to say why you want it disabled, and add further comment…so I informed them that I no longer wanted the account, and wished for it to be deleted.
Lets see if they get back to me on this point, eh?

Mainly unprofessional

So, I’m following some of the “New Professionals Conference 2010” online and one of the tools referred to was Personas, to see what your online presence is like. Or, how references by to and about you online appear visually.
I used my normal online username (it’s more distinctive than my “proper” name), and was pretty amused by the results.
It seems that the thing that I’m least of all, is “professional”, closely followed by “committees”. Whoops!
Mainly, I’m either aggressive, or I provoke aggression, and sports and fashion feature highly. Hmmmm, I’m thinking that there’s maybe something REALLY ODD about this.
Wanna fight about it? Huh? DO YA?!?!
😉
Edited to add: OK, so it does a different thing every time then?!? This is what I got when I redid it again, for the same single word username (so it’s not getting confused by two words, misspellings etc). Perhaps this is the truer one? More online, and social, MUCH less aggression…but perhaps that’s because it’s been joined by “military”. Whaaa?

We’ll tell you about privacy…but only if you use Internet Explorer

So, I bought a can of Coke. It had a code under the ring pull, that advised you to either text (for a cost), or visit the Coke Zone website, to see if you’d won a prize.

So, I toddled off to the website, entered the code, and hit return.
Oh.
I got a pop-up, telling me to log in if I was a member, or register if I was a new user. It wouldn’t tell me if I’d won anything without me being a member. Which is annoying – I don’t mind giving my details in exchange for certain things, but in order to find out if I’d maybe won a prize? No ta.
So I decided to look at the Coke Zone privacy policy (which you must agree to in order to register with the site). I ran into a problem here – when I clicked on the link, I got nothing. Well, I got a page, with a big expanse of white where the content should be. I was using Chrome, so I decided to try Internet Explorer….yay! The content was all there!
So I wondered if it was just me and Chrome that had issues viewing the content…nope. Others said they couldn’t see anything if they used Safari, Opera or Firefox (although one person said they could see it when using Firefox on a Mac).
So, the privacy information’s sort of magical…for a large number of people, it’s invisible. But if you’re using IE, it’s there.
Needless to say, I didn’t register, so if I won something, I’ll never know. But at least I can be sure Coke aren’t randomly distributing my information about the internet with my blind agreement…

No publicity, please!

So, last week I did a firewalk for charity, at Edinburgh Zoo. Due to the ‘delightful’ roadworks going on in Edinburgh for, ohhh, eternity, I arrived at the event at 7pm just as the briefing started, instead of the planned 6.30pm for registration.

Apparently, in the few minutes before the briefing officially started, it was announced that a daily news show crew were there to film us, and if anyone objected to being filmed, could they make themselves known. It seems like nobody did, because we were all filmed by the crew at various points, usually in the background to the presenter.

I have absolutely no desire to be on TV, particularly during a stressful event, so I was not best chuffed to find out by questioning other firewalkers that what I thought was perhaps going to be a promotional clip for the company organising the firewalk, or for the Zoo itself was actually going to end up on national telly. Added to this was the fact that I had not been asked about my agreement to the filming, and had not given permission either verbally, or in writing.

I’ve viewed the report, and can clearly see myself at one point, although others might not recognise me. I have no way of knowing what other footage that I may have been in was cut.

So, my questions are…
Since I was repeatedly filmed in a private place (the seminar room of the Zoo) without my permission, could I justifiably have objected to the use of the footage?
Is the firewalk area of the Zoo (a grassy public area in the middle, after opening hours of the Zoo) also a private area?
Is it legal to film people like this when they haven’t given any sort of proveable agreement?

It’s a moot point now, as the footage is out there, but it’s something that annoyed me, as I think you can tell!!

Phormless

After some checks by someone who’s much more technical than me, it appears the invite for the survey was for a BT telephone directory.
Glad of that – the less I have to do with Phorm the better (although as a Virgin Media customer, I wonder if that decision’s always going to be mine to make)

Phorm-filling

I participate in various online surveys, getting pennies, or prize draw entries in return.
Last night, I got sent the following invite – hands up who thinks it’s in some way linked to BTs Phorm experiment?

Hi Jennie,

We have a new survey available for you to take. You will also be asked if you would like to take part in an ongoing program run by BT in which you will be asked to take part in online activities. You will need to provide your e-mail address and register on the website so that you can be sent the details of how to take part. In exchange for taking part you will be entered into weekly prize draws. If you complete the survey but do not register to take part in the rest of the online program you will be rewarded 25p if you register to take part in BT’s online activities you will receive £1.00. You will also be redirected straight to a BT site at the end of the survey. Please be assured that your e-mail address will only be used to contact you about this study.

Or maybe I just have a mind that sees devious information-stealing software around every corner….