M&S Christmas Shoppers Beware

M&S are running a Christmas marketing scam, so beware if you too considered buying from their "Christmas & New Year Food To Order".

The small print on the order form explains they will use your personal info for:
* marketing of products, services, marketing research.
* anything else listed in online privacy policy.
* only possible to opt back out is to write to them, and allow 3 months for them to try and take your details of their lists.

Reminds me of the Phishing scam emails I get. Workaround is to cross through those terms before signing.

Southern Water are just as bad, last month to register for water at my new pad, they ask for my National Insurance number!

This is definitely something the UK should legislate against. Also something that M&S's Stewart Rose should have never let happen. Probably ORG would be good at lobbying for a change here.

Magazine subscriptions a treasure trove of personal data

Just got one of those magazine subscription leaflets fall out of my paper, nothing new there. What was surprising was that their freepost piece of card asked for so much personal information, which would then be all plane to read as it made it through the postal system:

Name, Address, Daytime Tel, Mobile (aren't they the same?), email, year of birth, bank account, branch, signature.

If you must take up one of these offers, send it back in a brown envelope!

Even the EU shores up Adobe Flash now

In a bizarre twist of fate, Viviane Reding one of the non-democratically elected EU Commissioners put up her weekly video entitled "Protecting privacy in the digital age", in the privacy invading Adobe Flash format. This gives a privacy problem like the following screenshot (example I'd saved, she's not using youtube from what I could tell):



I've written about the security and privacy flaws in Flash before. Due to Flash being a proprietary binary that the user has no control over, it can happily just ignore all the cookie and privacy settings in the browser. Happily sending and receiving cookies, as well as maintaining a large set of cached files and data locally that the user is unaware of.

All we need now is for the information commissioner to advocate Adobe Flash, seeing as he's already using unique google tracking cookies to monitor the populace for two years.

I wonder how much/commission_barroso/reding/_bin/favideo/skins/ClearOverAll.swf cost us all to make, on top of the £556 price for a copy of Adobe "Flash Pro CS4" (dabs.com price). Not a good use of our EU taxpayers money!

Return Royal Junk Mail back to them

Royal Direct Mail is at it again.. but this time I've got an idea.. if it comes together it could be quite comic:











The DMA "Your Choice" scheme is ineffective, and why should we have to register that we didn't want junk mail in the first place? Not least because they will write to you 2 or 3 times to get you to reconfirm you don't want junk mail, and then like TPS and DMA lists it will expire after 3 years. Door-to-door is what Royal Mail like to call their marketing scheme. I couldn't find the Yell, Thomson Local and BT opt-out, that would have saved another 8KG of junk mail per year.

Imagine if for every piece of unaddressed junk mail that Royal Mail pushes through letter boxes around the country, just 10% of us returned it to them in the red boxes they place around the streets? Rather than me paying the council refuse collectors to take it all way, Royal Mail would have to cover the costs, and it might just bump the price up sufficiently for them to call of their junk mail programme.

If you don't have any "Return To Sender" stickers, you could always just forward it back to them. See how they appreciate arriving and having a mound of junk mail to wade through each day like the rest of us!

Royal Mail Group Ltd
148 Old Street
LONDON
EC1V 9HQ

Demos The New Politics of Personal Information FYI

An excellent report published by the Demos Think Tank titled The new politics of personal information FYI was made available last year, quote: "We no longer control what others know about us, but we don't yet understand the consequences..."

As Demos allow redistribution I created the online HTML version as only a PDF was made available at the time by Demos -- so it is be easily searchable using standard online tools now!

No online marketing opt in

I wrote about Phorm the other day. While thinking about this online marketing problem I had a quick look online. There are ways to confirm you don't opt into online web tracking services. The BBC even put up a page about their tracking of visitors.

So the list of steps sites to set the special cookies:

DoubleClick no marketing opt in.

Onmniture (WebSideStory) SiteCatalist HBX Hitbox no marketing opt in.

Nielsen no marketing opt in (make sure you click "Total Opt-Out" !)

Google Web History remove guide. (Highlighted on ORG-Discuss list)

I do think we need an international standard ad-tracking opt out like the BBC say.

For the meantime we just need Firefox and other browsers to start shipping with these cookies set by default. Also we need a Firefox extension which let's users control the cookies in a more friendly manner.

Phorm unique tracking

BBC ran a story earlier this week: Ad system 'will protect privacy'. Also the PMs site has a petition worth signing. The Phorm site has a privacy page with some more information.

Phorm say their tracking is anonymous, but surely they have miss-understood the definition of Anonymous (from the Greek ανωνυμία):

Oxford English Dictionary:

Anonymous a.
1. Not identified by name; of unknown identity.
2. Having no individual or unusual features.

Or as Chambers Dictionary puts it, "without character; nondescript"

Once I have been assigned a unique number which identifies every communication with me uniquely, surely I am no longer anonymous?

Once they have tagged my interests as "cars", "music", "travel" and "gadgets" surely that would constitute something along the lines of "individual or unusual features" ? I'm certainly no longer nondescript.

The honest way would be for Phorm to phrase it: "uniquely identified, profiled and browsing categories tracked by a number rather than a name".

Let's see what the Information Commissioner's research into Phorm reveals.

Phorm privacy problem

The UK PM's site has a petition We the undersigned petition the Prime Minister to Stop ISP's from breaching customers privacy via advertising technologies. Please consider signing it, already on 2,009 signatures, going up 500 per day!

OpenID security issue

I am very pleased that OpenID is finally taking off, I have too many site logons as it is. However, it does raise a security implication, because once my personal data has been concatenated to the point that it's as dangerous as a leak of enriched uranium waste.. someone gaining access to my bank logins subject me to fraud ultimately. I personally am pleased my online banking all has a different login system for security. if banks did ever unify their login systems I'd hold out to have a separate account for each system, as I would never use my bank login from a web-cafe as I can't be sure if it's secure.

Warning - MPS Junk mail opt out only lasts 5 years!

Having just registered with the UK's MPS (Marketing Preference Service) to stop getting junk mail I got a confirmation letter warning that it will expire in 5 years, and that it will take them up to 4 months to stop their marketing association members from junk mailing me. Not very effective+efficient is it.!? Why can't it last for ever?

What policies should prevent companies sending spam in the UK?

I guess I am fortunate that my BSc Computer Science degree included a module on Computing in Society. I was able to watch the Data Protection Act 1998 come into force (replacing the 1984 act). then in 2003 we received the the Privacy and Electronic Communications Regulations thanks to the EC!

Both of these laws prevent companies adding our personal information to marketing databases without our express consent and knowledge. There cannot be a default "opt-in" too. The Information Commissioner (formally the Data Protection Commissioner) deals with any requests for assessments when an individual needs to involve his office because the Data Controller in an organisation is not resolving an issue. Companies also need to register their use of our personal data, and provide a way to unsubscribe at the bottom of each marketing email etc.

Also register with the MPS to take away another excuse for companies sending direct marketing!

If any company breaks the rules, take them to task and get them to delete your personal details, ask for compensation if it's wasted some of your time too!

Check your insurance file

Insurance Database Services Limited run the Claims and Underwriting Exchange which holds a database of information passed to them from Insurance companies on any claims you have made. I checked my record recently and found errors on the record which Elephant had twice assured me they had corrected!

Fill in this form and write to them yourself at:
The Company Secretary
Insurance Database Services Limited
1st Floor, 100 Fenchurch St
London EC3M 5JD

Oddly they ask on that form for us to tell them what claims had been made, surely they should be the ones telling us that so we can check?

It costs slightly more than the credit reference agency file, coming in at £10, but maybe you can argue for it back if there are errors?

Check your credit file for only £2

I'm glad I checked my credit file recently, both Experian and Equifax had erroneous data from two banks.

The good news is we can pay £2 by cheque or postal order to the companies and get a full copy. Be sure to include your D.O.B. full name and previous addresses in the last six years!

Write to:
Experian Limited
PO BOX 8000
NOTTINGHAM
NG1 5GX

Equifax
Credit File Advice Centre
PO BOX 1140
BRADFORD
BD1 5US

Consumer Services Team
Callcredit plc
PO Box 491
Leeds LS3 1WZ

Interestingly, although they hold a database on us, it is currently regulated by the Credit Act rather than the Data Protection Act (so the Information Commissioner does not directly regulate).

Missing Data Protection Contoller contact details

I've noticed in recent years that I will purchase something or donate to a charity, and then discover that despite not ticking the box to opt into their marketing (or vice versa, always ticking to opt-out!), I've been added to their marketing databases. Often my details are then sold on to other companies, I've had Oxfam passing my details to Crisis, and also SmileTrain have just passed on my details to RNLI and MINT I suspect.

The problem is, they don't include a clear address to write to get in touch with the Data Protection Controller and track down the cause of this leak. Also the organisations are often unwilling to put in place policies to verify consent was provided before they buy in data. Many Data Protection Controllers do not even keep records of where they obtained the data from (Gateshead Council Electoral Roll return slips) (Gateshead sold my details to Harveys Furniture Store).

In my experience many Controllers are unwilling to divulge who they have distributed personal data too, or the source when they must have records of it.

I think we need a few "cultural" changes relating to Data Protection of persons information by organisations which we hope we can trust:

• Include full contact details for Data Protection Controller in all communications.
• Data Protection Controller needs to keep records of where personal data arrived from and that permission has been provided and verified.
• Penalties and compensation for breaches of personal data and the time taken to sort out the problems of unauthorised data leaks.
• ICO office being given more powers to investigate/audit organisations, and do spot checks to verify data breaches and record keeping in organisations.
  

Some organisations are not even registering on the Data Protection Register, in my view they should be fined and audited by the ICO, charging them for the cost of the audit.

The HMRC incidents in the UK really highlight how lapse this situation is at present. So Data Controllers, have a new years resolution to do your jobs properly! ;)

Cookie filter and block for Firefox?

I use Firefox's Adblock and Filterset.G.Updater extensions to ditch the advert pollution on many pages of the interweb. What we really need is a decent CookieBlock and CookieFilterset updater, the sort that blocks cookies like urchin I blogged about before. Is it that because cookies aren't visible they're not annoying enough to start blocking the unique trackers on pages? Should have been available before now, so as Mozilla guys aren't implementing as a core feature I hope someone will scratch the itch as an extension ;)

When even the Information Commissioner's office is tracking us, who's left to trust?

I posted last month about cookie tracking, and now I noticed that none other than the UK Information Commissioner's website is also assigning me a unique number which does not expire until 2009!! Spot the referal tracking too? and what does "organic" mean?

I could not believe that this would be something the ICO Richard Thomas, would have allowed his office to set this up. I can't even think this was an oversight, as it is necessary to sign-up for the tracking system account before you can use it!

Interestingly, even googling for "information commissioner" gives me the warning that the website is trying to set a unique tracking cookie on my computer.
Before anyone posts saying it is anonymous, check the definition of anonymous -- "lacking individuality, unique character, or distinction", oops Mr ICO!

So much for warning of the big brother state then Mr Thomas!?

The ICO is an independent office of government, responsible for protecting access to personal information and providing access to official information. Covering the following legislation: Data Protection Act 1998, The Privacy and Electronic Communications (EC Directive) Regulations 2003, and the Freedom of Information Act 2000.

Let's see if the ICO practices what preaches regarding privacy any time soon...