Reading the small print: Spotify

Spotify made the news for their new T&Cs [1] which give the music-streaming company the right to capture just about any information about you that they like:

By using or interacting with the Service, you are consenting to: the collection, use, sharing, and processing of information about your location, including any related interactions with the Spotify service and other Spotify users ... the use of cookies and other technologies; the transfer of your information outside of the country where you live; the collection, use, sharing, and other processing of your information ... [2].

And:

With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files [3].

How about:

Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit) [2].

Or your FaceBook credentials:

If you connect to the Service using credentials from a Third Party Application (as defined in the Terms and Conditions of Use) (e.g., Facebook), you authorise us to collect your authentication information, such as your username and encrypted access credentials. We may also collect other information available on or through your Third Party Application account, including, for example, your name, profile picture, country, hometown, email address, date of birth, gender, friends’ names and profile pictures, and networks [2].

Why do they want all this information? To “improve your experience” whilst improving their targeting advertising:

We may use the information we collect, including your personal information....to provide, personalise, and improve your experience.....with the Service and products, services, and advertising (including for third party products and services) made available on or outside the Service (including on other sites that you visit), for example by providing customised, personalised, or localised content, recommendations, features, and advertising on or outside of the Service [3].

So what can you do about this? Probably not a lot; realistically all you can do is find another streaming service. But as long-time Spotify users started to desert the streaming company their CEO issued an apology stating that “If you don’t want to share this kind of information, you don’t have to” [4].

Whilst these T&C are quite intrusive, online T&Cs have been an area of debate for a while. Because of their length and complicated legal jargon few people ever read them. Research undertaken back in 2011, shows that as few as 7% of Britons read online terms and conditions before signing up to a service [5]. A Fairer Finance survey in 2014 [6]  found that some online T&Cs run to nearly 30,000 words, or the size of a small novel and unsurprisingly 73% of those surveyed admitted to not reading all the small print let alone understanding it. Ever read Google’s T&Cs? They can legally scan everything you search for as the Boston family discovered after innocently googling rucksack and pressure cooker, which led to a visit from a terrorist task force [7].

Last September F-Secure undertook an experiment to test how many Londoner’s read the small print for free a Wi-Fi service. Included within the experiment’s T&C was the so-called Herod’s clause – promising the free Wi-Fi if “the recipient agreed to assign their first born child to us for the duration of eternity” [8].

As we are starting to discover in this blog, you don’t get anything for free. So, next time you sign up for anything online, be it software or services, even if you don’t have the patience to read 30,000 words, you should at least have a cursory glance at some of the small print.

[1] https://www.spotify.com/us/legal/privacy-policy/?version=1.0.0-GB

[2] http://www.theregister.co.uk/2015/08/21/spotify_worse_than_the_nsa/

[3] http://www.lifehacker.co.uk/2015/08/21/what-you-really-need-to-know-about-spotifys-creepy-new-privacy-policy

[4] https://news.spotify.com/us/

[5] http://www.theguardian.com/money/2011/may/11/terms-conditions-small-print-big-problems

[6] http://www.theguardian.com/commentisfree/2014/apr/24/terms-and-conditions-online-small-print-information

[7] http://www.thewire.com/national/2013/08/government-knocking-doors-because-google-searches/67864/

[8] https://www.washingtonpost.com/news/speaking-of-science/wp/2014/09/29/londoners-accidentally-pay-for-free-wi-fi-with-a-firstborn-because-no-one-reads-anymore/

A badger to stop trackers

Earlier this month EFF released Privacy Badger 1.0 [1]; a browser add-on that stops advertisers and other 3^rd party trackers.

So do we need yet another cookie blocker?

EFF admit that Badger is similar to Adblock Plus (Badger is actually based on ABP code), Ghostery, Disconnect and other cookie blockers [2]. However, Badger is slightly different in some much as rather than block all cookies, it focuses on enforcing Do Not Track (DNT) settings. When DNT is enabled in a browser, information is sent in the HTTP header to inform companies that you do not consent to being tracked and want to opt out of tracking for purposes such as behavioural advertising. The problem with DNT is it is voluntary; meaning data harvesting companies can legally (?) ignore a DNT request. Additionally DNT has suffered some adversity, such as from Yahoo in 2014 [3]. Because self-regulation of DNT has not been effective, EFF have developed Badger in order to block repeat DNT offenders.

EFF researchers found that blocker add-ons such as Ghostery and ABP require some user configuration in order for non-consensual tracking to be blocked effectively, stating that, in their default settings, Ghostery does not block anything and ABP is not set to block invisible trackers [2]. So even if you already run cookie blockers, Badger should complement your online privacy.

A key design feature of HyperText is it allows web pages to interact with other third party sites for a richer browsing experience; such as news feeds, maps, comment boards etc. Unfortunately the majority of these 3^rd party sites are advertisers who download a tracking cookie to your browser [4]. As the 1^st party site does not need to declare 3^rd parties, this has become a serious privacy issue. With ZAP running, downloading a website will display a whole bunch of connections to other 3^rd party sites for information. FireFox developed Lightbeam [5] to provide a real-time perspective of just how many 3^rd parties 1^st party sites interact with. Ad targeters such as Google AdWords, hold a mini auction to sell your web space to the highest bidder before a webpage loads [6].

So why not just run Ghostery and tell it to block ALL cookies? In some cases 3^rd party domains can provide additional “useful” information to support a web page, such as style sheets, maps, images. In this instance Badger allows connections to 3^rd parties, but blocks tracker cookies and referrers [2]. Some cookies are used to hold website preferences such as which language the website should be presented in. Carte blanche blocking of all cookies may impede the browsing experience. Where ABP works on a blacklist of known unwanted domains, Badger works by observing the trackers behaviour over time rather than blocking everything out right. Because Badger blocks visible and hidden 3^rd party trackers, it also unintentionally blocks some, but not all, ads. These blocked ads are non-consensual ads that abuse DNT, invading privacy. EFF states that Badger is not intended to be used as an ad-blocker, suggesting that if you want to block ALL ads you should also run an ad-blocker app. However, installing an ad-blocker and setting it to block all cookies, might make badger partially redundant.

Badger does have its limits. It can block cookies as well as locally stored super cookies (persistent cookies which cannot be stopped by “private” or “incognito” mode [7]). However blocking sites that identify users through browser fingerprinting is more difficult. Badger can block canvas based fingerprinting [8] but not other fingerprinting methods [9]. EFF does have future plans to address 1^st party DNT abusers. Blocking DNT on 1^st parties is more complicated as many are only able to offer free web services because they are funded by advertising. EFF theorises that visiting a 1^st party site means you must have some sort of relationship (or interest) with them whereas you do NOT have a relationship with 3^rd party sites which may be abusing DNT. 

Badger is currently only available for FireFox and Chrome, but EFF have made Badger’s code available on github [10] for use by developers and other browsers.

So again, do we need yet another cookie blocker? If you want to block as many 3^rd party trackers as possible and have tweaked the default settings of Ghostery, ABP, etc, then you might not see a great deal of value from Badger. However, if you want to block 3^rd party trackers and run Ghostery, ABP, etc, out of the box then Badger should enhance your online privacy. 

[1] https://www.eff.org/deeplinks/2015/08/privacy-badger-10-here-stop-online-tracking

[2] https://www.eff.org/privacybadger

[3] http://www.theregister.co.uk/2014/05/02/eff_privacy_badger/

[4] https://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks

[5] https://www.mozilla.org/en-US/lightbeam/

[6] https://support.google.com/adsense/answer/160525?hl=en

[7] http://www.washingtonpost.com/business/technology/verizon-atandt-tracking-their-users-with-super-cookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html

[8] http://filelifter.de/assets/plugindata/poola/thewebneverforgets.pdf

[9] http://www.computerworld.com/article/2517643/internet/eff--forget-cookies--your-browser-has-fingerprints.html

[10] https://github.com/EFForg/

Of course Windows 10 is free when you pay with your privacy

Just three days in from Microsoft’s free upgrade to Windows 10 and complaints and criticisms are underway. Windows 10 default privacy settings have been widely criticised for sending personal information to Microsoft, using bandwidth to upload data to other computers running the operating system, sharing Wi-Fi passwords with online friends and removing the ability to opt out of security updates [1]. Upon installing the new OS, Microsoft assigns the user a unique advertising ID which is tied to the email address that was used to register with Microsoft [1]. This email address is then associated with a raft of other services, such as app downloads, web browsing and cloud-storage uploads. By tying an ID number to users, Microsoft can use this to track users across different devices, services and applications [2]. The upshot of this means Microsoft is able to personalise adverts to each user. Even solitaire now has unskippable video adverts [1].

According to Microsoft, to allow Cortana (Microsoft’s personal assistant equivalent of Siri) to personalise its response it “collects and uses various types of data, such as your device geo-location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device” [7]. But haven’t both Google and Apple been accessing user data to personalise responses for a while now? And in return for offering their applications for free they have trawled your personal data in order to deliver adverts customised just for you?

The EDRi (European Digital Rights) say that Microsoft’s 45 pages of t&cs “grants [Microsoft] very broad rights to collect everything you do, say and write with and on your devices in order to sell more targeted advertising or to sell your data to third parties” [3].

Microsoft’s new update service has also come under criticism. Not only does it remove the option to NOT install updates, but WUDO (Windows Update Delivery Optimisation), which is enabled by default, uses a P2P service which means once your device has downloaded the update, this update can be shared with other people online [4]. It makes sense to share updates, but users are not happy that this is at the expense of their own bandwidth. For some time now, experts have warned of the dangers of not updating systems, in particular for security patches (see So, you are an online security expert are you?). All Microsoft have done (as have Firefox, Google and countless other applications) is take the user out of the equation; I would argue at the benefit rather than determent of the user.

It’s not very often I champion Microsoft, but for once they are in a no-win situation. Users want more from their OSs and are relying more on the web and multiple application integration to deliver these services. Users are becoming more reliant on personal assistants; which need to learn user behaviour to be of any real value. I am sure that if Microsoft had disabled all these settings by default they would have received just as many complaints saying it is too complicated to enable them all. What I don’t understand in all this is that this comes as a shock to those complaining. Why? Microsoft has issued a FREE upgrade. I challenge you to show me one thing on the Internet that does not cost ANYTHING. Usually you pay for zero-cost by sacrificing something else; typically loss of privacy and usually this is through advertising or selling your data. Would these complainers rather pay for Windows 10 with privacy settings to be enabled by default?

For those that both want their cake and to eat it - Cortana can be set to “Stop getting to know me” [2], WUDO can be disabled [4] and with a bit of effort most default enabled settings can be disabled [5] [6].

Personally, I believe that a) security settings should be enabled by default; let the user turn these off if they know how and really need too, and b) personal privacy settings should be disabled by default; if the user really decides that they need Cortana to know their geo-location so it can recommend the nearest McDonalds, then let the users go to the effort of setting this.

It always saddens me when users are prepared to forfeit their privacy for something that is “free”. With non-open source software you never quite know what you are sacrificing. Privacy is easy to give away, but very difficult to get it back. For myself, I see no immediate hurry to upgrade to Windows 10, so in the meantime, will be sticking with Windows 7 ... well, at least until Microsoft tell me I have no choice!

[1] http://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings

[2] http://betanews.com/2015/07/31/the-real-price-of-windows-10-is-your-privacy/

[3] https://edri.org/microsofts-new-small-print-how-your-personal-data-abused/

[4] http://betanews.com/2015/07/31/stop-windows-10-using-your-internet-connection-to-share-updates-to-other-people/

[5]http://www.rockpapershotgun.com/2015/07/30/windows-10-privacy-settings/

[6] http://thenextweb.com/microsoft/2015/07/29/wind-nos/

[7] https://www.microsoft.com/en-us/privacystatement/default.aspx?Componentid=pspMainCortanaModule&View=Description