East Coast Respond on Data Collection Concerns

I’ve now recieved a positive response from UK train operator East Coast in relation to the data collection and retention concerns I had after booking a journey with them recently.

The general gist of it is that the mandatory collection of marketing data like age, number of children, etc., were “not as specified”, and it is “being fixed” so that it’s no longer mandatory to enter these details just to change your account data, such as your email address, or opt-in/out status of marketing emails.

They don’t, however, consider the information collected as excessive, as long as it’s optional and you volunteered it in the first place.

But at least they have said they are fixing the inappropriate mandatory fields in their webforms.

East Coast data hoovering – an update

Before you get too excited, I’ve not heard anything back from the powers that be at UK railway operator East Coast about the data protection concerns I have after booking tickets online. It’s only been a week. Let’s give them some time…

However, I did make the train journey whose booking let me to be concerned about the excessive and irrelevant data they were collecting, which could only be stored for one reason, and that is to improve their market intelligence.

During the journey, I used the on-train wifi, for which it requires you to “register”, and asks you provide another stream of compulsory personal information. While they didn’t want to know my inside leg measurement this time, again they want to know who I am, where I live, what’s my nearest station, and what is my reason for travelling, again as “mandatory” responses, before allowing you to use the on-train wifi service.

I don’t understand how your nearest station, or why you’re travelling, are relevant to allowing you to access the on-train internet access service. Of course, I didn’t actually put any genuine details in this contact form.

This wifi registration page also presents the “opt-in” for marketing email as already ticked – so if you don’t notice and don’t untick the box, you’re opted in to their email marketing. While it complies with the letter of the law, it doesn’t really feel to be in the spirit of the law.

What’s your perception of East Coast’s data collection and retention policies based on what you’ve read?

IBM Bans Siri – Over an age old concern…

IBM has banned it’s staff from using Siri – Big Blue has allowed it’s staff to BYOD and use their iPhone 4S on the company’s networks, but banned the use of Siri over fears that the sound bites uploaded for processing by Siri could contain IBM proprietary information, which could be stored indefinitely, and analysed by Apple.

This isn’t a new concern for corporates. It came to the forefront when employees commonly used services like MSN Messenger to keep in touch with their colleagues, and of course all but the paranoid thought nothing of discussing company business over IM, in unencyrpted packets, routed over the commodity Internet, to some server farm their employer didn’t have any control over. Who knows if and how long a messaging service could retain transcripts of chat sessions? Or if the packets were “sniffed” in transit and the transcript rebuilt?

Companies then got wise and started to provide internal IM systems which they had control over, and having their IT departments block external chat platforms (let’s assume we’re talking about vanilla users who don’t know how to punch their way through these things for now). This also obviously helped for things like regulatory compliance.

Most recently, this has moved into the social networking arena, with things such as Twitter and Facebook – people have lost their jobs over committing corporate faux-pas on a publically viewable service. This has opened the doors to platforms such as Yammer, a SAAS-based corporate social networking platform, who seek to give the company back some control. All the things your employees know and love about social networking, but just for your company and it’s staff, with you in control of the data and the rules. Your regulatory compliance people can sleep easier at night.

So, while there’s no current evidence to support the notion that Apple are using Siri to spy on Big Blue, it’s fair to say that IBM aren’t bellyaching: I think it’s a legitimate data privacy concern, and it’s one that you should share.

When you post something on Twitter, or Facebook, or write a blog, you know that you’re putting it out into some sort of public (or shared) domain. You expect other people to see it, and you expect it to be stored (though maybe you’re not clear on just how long it’s being stored!).

I think people’s mindset is different when talking to Siri. They have the concept, in their head, they are talking to their phone, and overlook the fact that what they’ve just said has been uploaded to a server farm, possibly in a location outside of their home jurisdiction, to be processed. Do those of you who use Siri even think about that is what happens? Or that what they have just said has been placed into storage, potentially forever?

So many of the geeks I know are horders by nature, so it’s a force of habit for them to turn on lots of logging and want to keep everything forever (or at least until the storage runs out or they can’t afford anymore), “just in case they need it”, and I suspect the backend of Siri is written no differently, because that’s how programmers are.

Given a company the size of Apple, I don’t think there’s any concerns about the storage running out, and the Siri licence agreement doesn’t say for how long you’re consenting to Apple storing the soundbites collected by Siri. With a large enough sample size, statistical analysis also makes it easier to find needles in such haystacks, and we’re getting increasingly good at it.

Could market intelligence generated from analysis of Siri requests even be revenue stream for Apple in due course?

My opinion is that it is a legitimate privacy concern…

Want to book a train ticket? Then we need to know how many children you have…

…at least if you’re UK train operator East Coast.

I thought nothing of booking some train tickets online. I even got a decent deal. I doubt I could have done the journey cheaper in the car. They wanted me to register with the site, but then, most train companies do. They gave you an option to opt-out of email, which I took.

So, you can imagine my surprise when the next day, I got an email from East Coast, which started with “Now that you’re registered with us, we’ll be able to send you exclusive offers by email…

Erm. No, you shouldn’t be…

So, I thought I’d log into the East Coast website and check my communication preferences.

Not only did it show me as being opted in, but in order to untick the box and opt out, you have to complete some mandatory information in the “My account” page, before it will save the preferences and unsubscrive you from their mailshots.

What sort of information is it asking for?

  • My nearest rail station
  • My year of birth
  • How many children I have and how old they are
  • What the purpose of my journeys usually is
  • Who else I buy train tickets from

Now, having to fill this irrelevant information in just to change your preferences and unsubscribe from a mailing list, seems a bit excessive, don’t you think?

Note that you don’t have to give any of this information when ordering the train ticket itself (otherwise I’d have gone to an alternate online ticket seller, if I’d have known), just if you need to change anything in your account.

Yes, it’s very obvious that they are harvesting this information to build market intelligence, but this should not be collected on a mandatory basis.

I also tried the “Unsubscribe” link in the marketing email they sent, however that seems to have no effect on the preferences shown in the account on their website, which still show me as opted in.

Such an attitude to collection and retention of personal data seems a bit cavalier, doesn’t it?

I very sensibly used a + sign and token in the email address I used when signing up with East Coast, which makes the email address they use to reach me unique to them. So if they are seriously cavalier (i.e. stupid enough to sell it on to a third party) then I know whodunnit.

(Another irony is that the input sanity checking in their email contact form won’t accept a + sign token, of course, while their website will as  part of a username.)

It seems East Coast may find themselves foul of the Email Marketing Regulations and the Data Protection Act:

  • Sending marketing email which has not been asked for.
  • An unsubscribe mechanism which appears to be ineffective.
  • Mandatory collection and retention of irrelevant and excessive data.

I had a quick chat with a very helpful person from the ICO helpline yesterday, about how to approach the complaint, they agreed that it didn’t seem right that one had to provide such personal data in order to change one’s email marketing preferences, and told me to conduct all communication with East Coast in writing and keep copies of everything.

I’ve written (yes, snail mail!) directly to a suitably senior bod at East Coast explaining my concerns, and I’ll let you know what I hear.

SOPA/PIPA Roundup

I’ve sort of wanted to write things about the frankly worrying SOPA bill in the US Senate and PIPA bill going through the US House of Representatives at the moment, but the fact is, others are doing a perfectly good job writing about it elsewhere, and why the hell should I waste even more precious bits repeating the good stuff they have already said.

So, I’ll quickly roll-up what I think are interesting articles:

I’ll add more as I find/read them and think they are worth linking to. There are a lot of articles and opinions out there, as you can imagine, and I’m now just adding to the melee, I suppose.

But, the most worrying thing I find is that what is being proposed is effectively the same type of DNS doctoring and blackholing that other “less liberal” Governments (China, for instance) have been known to use to block access to things like Facebook, Twitter and YouTube.

“Oh, but we’ll only use it for blocking X”, they say. Question is, does the existance of the mechanism to do this constitute an invitation for it to be used for blocking other things in the fullness of time? Are we going to end up with domains being injected into the feed of “bad things” because it hosts something that arbitrarily earned some sort of “dislike” from those who have control?

Paging George Orwell, to a courtesy telephone, please.

Just let IPv4 run out. It’s over. Just get on with it.

So, I’m currently at the RIPE 63 meeting in Vienna. Obviously, one of the ongoing hot topics here is IPv4 depletion, at times consisting of discussion on either a) the transition away from IPv4 to IPv6 via various transition mechanisms, and b) how to make the pitiful amount of IPv4 addressing that’s left last as long as possible.

One of the things that is often said about (b) is that it shouldn’t be done to death, IPv4 should just be allowed to run out, we get over it, and deploy IPv6. However (b) behaviour is to be expected when dealing with exhaustion of a finite resource.

There are similarities and parallels to be drawn between IPv4 runout and IPv6 adoption, fossil fuel depletion and movement to alternative energy techologies. The early adopters and the laggards. The hoarders and speculators. The evangelists and the naysayers.

So, for a minute don’t think about oil and gas resources being depleted, that’s way in the future. We’re facing one of the first examples of exhaustion of a finite resource on which businesses and economies depend.

If the IPv4 depletion and IPv6 (slow) adoption situation is a dry run of what might actually happen when something like oil runs out, then we should be worried, because we can’t just rely on carrier grade NAT to save us.

Down at Peckham Market… “Get your addresses here. Laaavley v4 addresses!”

One of the first big deals in the IPv4 address secondary market appears to be happening – Microsoft paying $7.5m for pre-RIR (aka “early registration”) IPv4 address space currently held by Nortel.

There have been deals happening on the secondary market already. But this one is significant for two reasons:

  • The size of the deal – over 600k IPv4 addresses
  • That Nortel’s administrators recognise these unused IPv4 addresses, that Nortel paid either nothing, or only a nominal fee, to recieve, are a real asset which they can realise capital against.

Interesting times… Now, where’s my dodgy yellow van?