Category Archives: Tech

Tech posts

Reply from Experian about their Web Monitoring Tool

Thank you for your email, which we received on 11/06/2012.

*Web Monitoring

The information we advise you about is only used to alert you to the details we have uncovered.

It is not passed to any other parties or will not be used in any other way, including in profiling issues.

The information is not used for credit scoring purposes.

Web monitoring can only be entered through your Credit Expert membership. Our systems are constantly under review to ensure that the retrieval and storage of your personal information is as secure as possible.

The data retrieved is subject to our normal rigorous storage controls, governed by the Data Protection Act and overseen by the Office of Fair Trading.

If you no longer need to monitor a piece of data you can delete it by visiting your web monitoring hub. Next to each piece of monitoring information you’ve entered in the personal, financial and other contact detail sections you’ll see a minus sign. Clicking on this will give you the option to delete that piece of data.

Please remember, if you need to update the details in your profile information section then you will need to update your details in the “My details” section of your Credit Expert account. Once you’ve updated your details here the changes will automatically be made to your Web monitoring details.

Alerts will remain available for one year after which they are destroyed.

If you’d rather not benefit from the Web Monitoring part of the service we can switch it off for you. You can opt out of web monitoring by clicking on your profile section within your membership.

Kind regards

Mr Joe Farrelley
Customer Service Representative

Customer Support Centre
Experian

Email sent to Experian about Web Montoring Tool

Dear Sirs,

I am concerned by the implications of your new web monitoring tool,
particularly around the use of the data gathered. I would be grateful
if you could answer my questions below.

Trawling the web, including (but not limited to) social and business
networking sites and official sites such as Companies House could
generate a lot of personal information including but not restricted to
an individuals friends, business contacts, relationships, sexual
preferences etc.

1) How does Experian use/intend to use this data?

2) Will this data be used in any way in the credit scoring process?

3) Is Experian using (or planning to use) this data for profiling of
individuals based on their friends, contacts, employment history,
preferences etc.

4) Is data from profiling used (or will it be used on the future) in
the credit scoring process in any way?

5) Is information gathered using this system shared either with
Experian sister companies or any third party, for example companies
which subscribe to the Experian service or government departments?

6) Is this data used in any way in Experian's Identity Verification
systems?

7) How is this data stored, controlled and transferred?

8) How long is this data retained for?

9) is stored data de-personalised, scrubbed or obfuscated in any way?

Thanks in advance for your anticipated reply.

Kind regards

Simon

New Experian service a risk to your privacy and personal security?

On the 2nd of June I received an email congratulating me on the benefits I am now receiving from Experian‘s new “CreditExpert Web Monitoring tool”.

It seems that Experian, one the the UK’s three major credit reference agencies, has launched a service that “… will automatically monitor your personal details to protect you against the theft, accidental disclosure and mis-use of your personal information online. We will monitor the web, social networks and public databases.”

Now, great, you might think, but is it really?

Credit reference agencies gather information on individuals in order to provide their corporate subscribers information that assists them in assessing the risk associated with offering credit or other financial services to an individual. Traditionally, this information comes from data provided by companies on individuals who have accounts with them. This data is used to generate a credit “score”, which represents the risk of offering an individual credit. Credit scores range for 1 (very poor risk) to 1000 (no risk). Credit reference agencies also take into account the history of those who you have a financial association with (for example your spouse).

Now, back to this new service. It spiders the web and social networking sites for information on you and alerts you when some is found. As far as this goes, this is okay., but….

If the spider finds your Facebook profile, for example, it then has a list of your “friends”. This is where it begins to get worrying. Now Experian has a list of your friends and they can link you to people you associate with. They can identify your friends’ credit file within their system. By doing this, they can begin to build a set of data which goes beyond your financial associations. By using this sort of profiling, Experian could base your credit score not just on your history but on the history of everyone you associate with on-line. They could also base your credit score on social trends or even the type of jobs your friends hold or their background and lifestyle choices.

Facebook is not the only example. Using sites such as Linkedin they could gather significant information about your business contacts and employment history and use this data too. What about your travel habits from Tripadvisor or your sexual preferences or relationship history from dating sites?

This type of profiling is neither right nor fair. It is a massive breach of your privacy. It is unfair to you and to everyone you associate with.

Now, at this point, it must be said, I have no evidence that Experian are actually doing this with the data at this point in time. However, simply the fact that they can is worrying enough.

I have read Experian’s privacy policy and they are careful not to confirm or deny exactly what information they gather. They do however confirm that they may use data they gather for the purpose of generating credit scores and that they may share this data with their subscriber companies and their sister companies. They also state that they may transfer your data outside of the UK. In many countries, personal data is not protected. As soon as it’s transferred outside of the UK it’s just data.It’s also interesting to note that the link to the Privacy Policy in the email Experian sent is a unique link, which means they’re tracking how many people click this link and actually read the privacy policy. I wonder why?

Worried yet? You should be. Wondering what you can do? There are two things you can do now:

  1. Log in to Credit Expert and opt out of this “service”.
  2. Write to Experian and ask them what they are doing with your data and make a complaint that this “service” was applied to your account automatically, not as an opt-in service.

My next step will be to write to to Experian requesting clarfication on what they are using this data for. Watch this space!

Qsmtp – all new, improved qmail.

I recently embarked on a mission to make Qmail work with IPv6. I succeeded, in part, with the qmail-jms1 patched version of qmail. Overall, however, I was not completely happy with the jms1 approach. The author of this patch had added some slightly unusual functionality and most importantly this patch did does not appear to be compatible with the qmail-spp patch, which I used to perform valid user checks before accepting mail.

Recently. however, I discovered Qsmtp (http://opensource.sf-tec.de/Qsmtp/).

Qsmtp provides a drop in replacement for qmail-smtp and qmail-remote which provides advanced anti-spam features like SPF, DNS RBL, MAIL FROM validation, vpopmail user validation and more.

It also provides full IPv6 support.

For a Gentoo system, it’s as simple as adding the author’s overlay in layman and emerging netmail-Qsmtp.

This seems to work flawlessly. I’m impressed.

IPv6 switchover – are corporates taking it seriously?

In the IT world, most people have heard of IPv6 by now. Many Internet-centric companies already have IPv6 connectivity and an IPv6 web presence. Many ISPs are set to start the roll-out of IPv6 to end-users this year. Outside of these companies, however, people seem to have little understanding about IPv6.

In my work as an IT Architect, I see many proposed solutions. Worryingly, it seems many companies are still designing IPv4 only networks to be deployed in 2012 and 2013 with no consideration of how they will provide IPv6 capability, both internally and for internet-facing services. Failing to provide IPv6 capability at the outset could result in a whole host if problems.

Deploying an IPv4-only network now could result in the requirement to re-design in less time than was originally planned for, introducing more cost and work. For companies whose web presence is core to their business, as IPv6-based connections to home users become the norm, loss of revenue could result. Most companies consider email an essential service nowadays. As more organisations switch to IPv6 there may be issues with mail routing. IPv4 addresses will become more expensive and less available in the near future, in fact this process has already started. Growing an IPv4 deployment may become increasingly expensive and difficult because of this.

This issue does not just affect Internet-facing services either. Although it is possible to run a mixed environment, this tends to work better if client PCs run native IPv6 stacks rather than doing translation at the network layer. This means reconfiguring many machines to support dual-stack working or switching to an IPv6 only network internally. All of the main operating systems can handle this fine, it’s embedded devices like network printers and IP ‘phones which may struggle without a firmware update. Many vendors of these type of devices seem to be seeing the IPv6 switchover as a method to force clients to upgrade to newer versions of these devices and hence are not offering firmware updates to provide IPv6 support.

In summary then, companies would do well to consider their roadmap to IPv6 capability sooner rather than later. Indeed, those companies which take this on board now could use this as a strategic edge over their competitors.