Monthly Archives: June 2012

Letter to my MP about the Communications Data Bill

Dear Mr ,

I write with reference to the government’s proposed Communications Data

Firstly, a little about my background. I am a freelance computer
professional specialising in IT Architecture and IT Security. Over the
last fifteen years I have worked on systems and designs for many public
and private sector clients including <removed for personal privacy reasons>
. I have also been involved in the forensic analysis of data from computer systems.

I have serious concerns about the governments plans and it’s impact on
the individual’s freedoms and human rights. I also have concern about
the efficacy of this method of gathering information and the potential
for misuse of the data gathered, both legally and illegally.

People today have an intimate relationship with the Internet, in many
cases more intimate than relationships they have with other individuals.
For many the Internet is their first port of call if they have a
concern, for example, about a medical or personal problem. The internet
is used to communicate with like minded individuals, to access subject
matter of interest, even to persue someone’s deepest, most private
desires. An individual’s Internet usage therefore reflects their entire
life, even the most private of things like sexual preferences and other
private interests. Collecting data on Internet usage therefore has the
ability to expose an individuals private life in it’s entirety.

I believe data such as this should be private, safeguarded by the basic
human right to privacy that should be offered to every human being. It
is accepted that in society the Government, the Police and the Security
Services sometimes need to delve deeply into someone’s life for reasons
of crime prevention and national security. However, this intrusion must
be justified. Currently, the law provides this safeguard with the
requirement for a warrant to be obtained before this type of data can be
collected. In my view it is incredibly important that this safeguard to
our individual privacy is retained.

There is also a major security issue in collecting and retaining this
information. A leak of this information from an ISP could easily happen.
This could potentially put individuals, particularly those in the public
eye, in a situation where they could be blackmailed, threatened,
compromised or harmed. For ISPs to handle this sort of information,
there is also a wider issue here; should ISP staff be subject to
Security Clearance if they have the potential to access this sort of
sensitive information? Would it be appropriate for this information to
be officially classified as Confidential, Restricted, Secret or above?

Information that could be collected under the Communications Data Bill
will not be effective in fighting terrorism and organised crime as has
been stated by the government. I can think of many ways that an
individual could circumvent these measures. For an organised group the
possibilities to avoid detection are even greater. Instead, the data
generated will only really be useful for monitoring and profiling the
innocent. Fear of being caught for doing something that is completely
innocent could do the greatest harm, with individuals, particularly
young people, afraid of seeking information for fear of being
criminalised for it. Profiling in particular is also a major concern as
it effectively criminalises individuals or singles them out for special
attention based on probability. It is incredibly important to remember
that an individual is not a criminal unless they have actually broken
the law. It should also be noted that it would be easy for criminal
groups to resort to more traditional techniques of communication, thus
circumventing this proposed legislation entirely.

– From a technical perspective, the technical implementation of this
Bill runs the risk of harming the internet experience for many, causing
slowdown, breakages and difficulty in accessing sites, at least in the
beginning. The heavy technical requirements in terms of skill and
investment favours the very large ISPs and penalises smaller companies.
Some websites do not function correctly when used via an internet proxy
and some ISPs may not be able or willing to make the investment in
infrastructure required to provide a performant web proxy solution. I
worked on one of the UKs larger proxy deployments for the [removed for privacy reasons] and I can
assure you that the hardware and skill requirements to provide this type
of service are significant. Someone has to pay for this and this will
always be the public, either by increased internet costs, taxation or both.

This bill also preys on the public’s lack of understanding of the
technical issues surrounding this issue. Whilst saying these measures
will enable the Police and Security Services to catch more terrorists,
criminals and paedophiles is very emotive, in the real world I do not
expect a statistically significant increase in apprehension rates as a
direct result of this legislation. I therefore find it difficult to
accept the investment required as there is no real benefit to be gained
from it. I also find it impossible to justify this gross breach of
individual rights for so little gain. To me this Bill is little more
than policing by numbers; monitor enough people and eventually you’ll
find a criminal. This is not by any intelligent process but pure statistics.

I would therefore urge you to consider opposing the proposed
Communications Data Bill in its entirety.

Yours faithfully


Reply from Experian about their Web Monitoring Tool

Thank you for your email, which we received on 11/06/2012.

*Web Monitoring

The information we advise you about is only used to alert you to the details we have uncovered.

It is not passed to any other parties or will not be used in any other way, including in profiling issues.

The information is not used for credit scoring purposes.

Web monitoring can only be entered through your Credit Expert membership. Our systems are constantly under review to ensure that the retrieval and storage of your personal information is as secure as possible.

The data retrieved is subject to our normal rigorous storage controls, governed by the Data Protection Act and overseen by the Office of Fair Trading.

If you no longer need to monitor a piece of data you can delete it by visiting your web monitoring hub. Next to each piece of monitoring information you’ve entered in the personal, financial and other contact detail sections you’ll see a minus sign. Clicking on this will give you the option to delete that piece of data.

Please remember, if you need to update the details in your profile information section then you will need to update your details in the “My details” section of your Credit Expert account. Once you’ve updated your details here the changes will automatically be made to your Web monitoring details.

Alerts will remain available for one year after which they are destroyed.

If you’d rather not benefit from the Web Monitoring part of the service we can switch it off for you. You can opt out of web monitoring by clicking on your profile section within your membership.

Kind regards

Mr Joe Farrelley
Customer Service Representative

Customer Support Centre

Email sent to Experian about Web Montoring Tool

Dear Sirs,

I am concerned by the implications of your new web monitoring tool,
particularly around the use of the data gathered. I would be grateful
if you could answer my questions below.

Trawling the web, including (but not limited to) social and business
networking sites and official sites such as Companies House could
generate a lot of personal information including but not restricted to
an individuals friends, business contacts, relationships, sexual
preferences etc.

1) How does Experian use/intend to use this data?

2) Will this data be used in any way in the credit scoring process?

3) Is Experian using (or planning to use) this data for profiling of
individuals based on their friends, contacts, employment history,
preferences etc.

4) Is data from profiling used (or will it be used on the future) in
the credit scoring process in any way?

5) Is information gathered using this system shared either with
Experian sister companies or any third party, for example companies
which subscribe to the Experian service or government departments?

6) Is this data used in any way in Experian's Identity Verification

7) How is this data stored, controlled and transferred?

8) How long is this data retained for?

9) is stored data de-personalised, scrubbed or obfuscated in any way?

Thanks in advance for your anticipated reply.

Kind regards


New Experian service a risk to your privacy and personal security?

On the 2nd of June I received an email congratulating me on the benefits I am now receiving from Experian‘s new “CreditExpert Web Monitoring tool”.

It seems that Experian, one the the UK’s three major credit reference agencies, has launched a service that “… will automatically monitor your personal details to protect you against the theft, accidental disclosure and mis-use of your personal information online. We will monitor the web, social networks and public databases.”

Now, great, you might think, but is it really?

Credit reference agencies gather information on individuals in order to provide their corporate subscribers information that assists them in assessing the risk associated with offering credit or other financial services to an individual. Traditionally, this information comes from data provided by companies on individuals who have accounts with them. This data is used to generate a credit “score”, which represents the risk of offering an individual credit. Credit scores range for 1 (very poor risk) to 1000 (no risk). Credit reference agencies also take into account the history of those who you have a financial association with (for example your spouse).

Now, back to this new service. It spiders the web and social networking sites for information on you and alerts you when some is found. As far as this goes, this is okay., but….

If the spider finds your Facebook profile, for example, it then has a list of your “friends”. This is where it begins to get worrying. Now Experian has a list of your friends and they can link you to people you associate with. They can identify your friends’ credit file within their system. By doing this, they can begin to build a set of data which goes beyond your financial associations. By using this sort of profiling, Experian could base your credit score not just on your history but on the history of everyone you associate with on-line. They could also base your credit score on social trends or even the type of jobs your friends hold or their background and lifestyle choices.

Facebook is not the only example. Using sites such as Linkedin they could gather significant information about your business contacts and employment history and use this data too. What about your travel habits from Tripadvisor or your sexual preferences or relationship history from dating sites?

This type of profiling is neither right nor fair. It is a massive breach of your privacy. It is unfair to you and to everyone you associate with.

Now, at this point, it must be said, I have no evidence that Experian are actually doing this with the data at this point in time. However, simply the fact that they can is worrying enough.

I have read Experian’s privacy policy and they are careful not to confirm or deny exactly what information they gather. They do however confirm that they may use data they gather for the purpose of generating credit scores and that they may share this data with their subscriber companies and their sister companies. They also state that they may transfer your data outside of the UK. In many countries, personal data is not protected. As soon as it’s transferred outside of the UK it’s just data.It’s also interesting to note that the link to the Privacy Policy in the email Experian sent is a unique link, which means they’re tracking how many people click this link and actually read the privacy policy. I wonder why?

Worried yet? You should be. Wondering what you can do? There are two things you can do now:

  1. Log in to Credit Expert and opt out of this “service”.
  2. Write to Experian and ask them what they are doing with your data and make a complaint that this “service” was applied to your account automatically, not as an opt-in service.

My next step will be to write to to Experian requesting clarfication on what they are using this data for. Watch this space!