Tag Archives: Ed Snowden

Snowden: Spying is “much worse in the UK than the United States”

Written for Tech City News and first published here.

Mass government surveillance is “much worse in the UK than the United States,” NSA whistleblower Ed Snowden has warned.

Speaking at Nesta’s FutureFest Snowden said the “light oversight regime” here has seen billions of normal people’s communications routinely accessed by GCHQ. “It’s not security – it’s spying.”

He pointed to the recent rebranding of this activity, from mass surveillance to “bulk collection”, saying that: “we have to get the government to admit there’s a problem… we can’t let them redefine it.”

Snowden left his $200,000 per year job working for the US’ National Security Agency back in 2013 after he after he felt he “could not consciously participate in” what he saw happening.

He says officials from the UK, Canada, the United States, New Zealand and Australia were able to use a searchable database to look through communications records. “Our communications are being stolen and stored so they can be rifled through at the convenience of security agents.”

Snowden advocates end-to-end encryption but says he is “fairly conservative” on surveillance “if they [government officials] have a warrant from a court”. He said he believes the technical side will win, as it’s easier to protect communications in transit than it is to enforce legislation in every country in the world.

He pointed to Iceland’s anti-surveillance stance and said it’s likely that data centres and other services will start to locate there if they feel they cannot be protected from mass surveillance in their own countries.

Today’s “pre-criminal” activity, he said, is “an incredible departure from the liberal tradition… If we go along with the status quo then we will be living in a mass surveillance world.”

The Trillion Euro Question: Whose Data is it Anyway?

It may feel like an age since Ed Snowden made his revelations about US and UK Government spying last year, but the issue of balancing security and privacy continues largely unresolved. Now, a film documenting the NSA contractor’s first interviews with journalists, CITIZENFOUR, has hit UK cinemas, and GCHQ has a new head who says tech companies are facilitating terrorism. A perfect time to take another look at data security in the industry…. (first published in the June issue of Mobile Marketing, republished here)

Guardian editor Alan Rusbridger has called indiscriminate smartphone tracking “the biggest debate of the 21st century”, while Chi Onwurah MP, former head of telecoms technology at Ofcom and now leader of Labour’s digital government review, told Mobile Marketing that “mobile is the next big security scandal waiting to happen”.

The American Civil Liberties Union (ACLU) is currently suing the US government for its role in mass surveillance, as well as advocating a Fair Data equivalent to the Fair Trade mark for companies. Speaking at an event staged by The Economist earlier in the year, Christopher Soghoian from the ACLU levelled blame at the ad execs who built the big data marketing systems now proven to be a key tool for US and UK spies. “I’m not here to tell you what you’ve done is evil,” he told the audience. “But it is.” And with the EU and US currently reconsidering data protection legislation, the landscape is set to change quite significantly.

“People’s understanding of what can be gathered from mobiles has improved quite a lot over the last few years,” says Forrester analyst Anthony Mullen. “Data security is now the number two concern for smartphone owners according to TRUSTe – second, of course, to battery life.” It’s the range of data generated by smartphones compared to desktop, he says, that has had companies rubbing their hands but consumers wringing theirs.

Even young people, often perceived as indifferent, are becoming increasingly worried. Research from youth marketing specialists Voxburner found that 67 per cent of 16-to-24 year olds consider security their number one concern when buying an internet-connected device. But Luke Mitchell, head of insight at Voxburner, says: “Yes, young people are aware of data privacy issues and are concerned about the misuse of their data, but there is also a sense of acceptance and powerlessness among them.”

“When WhatsApp was bought by Facebook it was making no serious revenue, so the purchase price indicated that the social network was buying the OTT messaging service based on the value of each user,” says McAfee’s Raj Samani. “That works out at about $40 each, compared to around $30 when it bought Instagram and $20 when Google purchased YouTube.” The value of personal data is increasing, Samani says, but the perceived value among ordinary people is actually decreasing. “We’ve actually seen people give away their personal data for chocolate.”

Put simply, Forrester’s Mullen believes that: “Privacy policies have to be written so a grandmother could understand them. Brands should not be scared of asking for lots of data, but obviously if they don’t get data handling right, that will hinder growth. Third parties basically don’t care. From the conversations I have, it’s clear they’re just not getting it. So brands have to put pressure on them. Future mobile services need to move to prediction but brands have to be clear and transparent about who they’re sharing with.”

Privacy is the new green

Aurelie Pols has been working in data analytics for a decade and sold her first startup to what is now Digitas LBi. She now works out of Spain, which has handed out 80 per cent of the EU’s total data protection fines to date, where she leads an analytics company and specialist law firm Mind Your Privacy. If data is the new oil, Pols declared during a recent webinar with CoolaData, then privacy is the new green.

“Certain industries, like advertising, have this weird sensation that giving customers choices will make them lose money,” she told Mobile Marketing. “That’s not really the case. And the industry doesn’t seem to know how to ask for consent: ‘No let’s not ask them, let’s just take the data and say nothing’.”

More so than simply not knowing how to ask for permission, Forrester’s Mullen says that those in the industry, particularly ad networks, “have their fingers in their ears”. “Ad networks are invested in capturing a lot of local data, often employing obtuse ways of finding out what consumer identities are. Marketers and vendors will just capture as much as they possibly can and work out what to do with it later. There needs to be better planning on data need and for who capturing and measuring data is going to benefit. App developers are likewise being greedy and capturing as much as they can.”

“There is an issue with third-parties in the supply chain and the obvious one is advertising where there’s a mesh of different data flows going on,” echoes Simon Rice, group manager for technology at the Information Commissioner’s Office (ICO). “When you click on a URL, so many things are going on in the background to make the decision on which ad to serve – and you can’t predict at present where that data will go.”

The ACLU’s Christopher Soghoian flagged data brokers as a potential loose cog in the big data machine, naming the likes of Acxiom, which works with everyone from Google to Microsoft to tie up in-store and digital purchasing data. “You quickly run into organisations that don’t have a brand that can be damaged. If a third-party misuses or loses data – who will be held accountable?”

Acxiom now runs a service that enables users to find out what data it holds on them (aboutthedata.com). You just have to enter a whole load of personal details to get started… Needless to say Acxiom CEO Scott Howe favours self-regulation and brands the US Rockefeller data bill currently going through Congress as worse than the worst parts of Obamacare.


The high-profile ‘Heartbleed’ security flaw found in April could have allowed hackers to access passwords and other supposedly encrypted data. The ICO’s Simon Rice says those targeting it would have had to be very lucky to get anything other than “a big blob of data”, but nevertheless, this was a serious hole in the open source code Open SSL used by everyone from Google, Amazon and Rackspace to secure their vast infrastructure.

As a not-for-profit project with only one full-time employee, the Open SSL team has successfully lobbied the big companies that use its software to contribute to its future success. Rice doesn’t advocate closed networks, with everyone from the FT to the BBC advocating open source, he simply asks: “Should companies have done a bit more code review from an organisational perspective?”

The industry’s attention has now turned to encryption as the ‘sure-fire’ way to protect data. Forrester’s Anthony Mullen says that they’re expecting to see more encryption tools – possibly even something from smartphone OS owners who were annoyed at how their data was being commandeered by security services. “It’s quite a lid that’s been lifted and it’s good for the health of the web,” he adds.

“The maths for encryption works,” Rice agrees. “The problem is it’s got to be implemented properly. If the data is secure in transit but then stored in plain text at the other end, the encryption was bullet proof – but the implementation wasn’t. My concern on the app side of things is that any app developer could just grab a code library from somewhere online, with no idea where the code came from and no due diligence process that they can explain to the user.”

McAfee says it now finds 39,000 new malware threats every single day, housing more than 40m of them in its purpose-built ‘zoo’. The data revolution in many ways, Raj Samani says, has been led by those offering ‘Hacking as a Service’, and the opportunity to rent malware or find it open source and learn how to use it by watching videos on YouTube. If robbing banks was high risk with potentially no reward, the gravitation towards cyber criminality is, arguably, just good business sense.

Data first

So what if your company is built solely on the use of data? The recently launched Cloze app has been developed specifically to help professionals manage the “novel a day” of social information they now receive as part of modern working life. Users sacrifice their personal information in order for Cloze’s algorithm to prioritise all the messages coming into their various inboxes and streams, with a premium service that adds extra features.

The company’s co-founder Alex Cote says accessing customer data is the “nature of the beast”, but as companies have been criticised for storing personally identifiable information in plain text, he explains how Cloze has been built with security and privacy baked in. “The team has built Cloze so that data is encrypted in our database so even employees can’t access it. Cloze doesn’t share any details across different users’ accounts and our security pledge, found easily on the company website, explains that data will not be sold or shared with advertisers.”

It’s not just startups that are making huge efforts to collect and analyse customer data in order to engage users, upsell services and attract advertisers. “Data is at the heart of the FT‘s strategy,” says Kristina Eriksson, head of media relations at the FT. “It gives us a deeper understanding of our audience and facilitates smarter product development and marketing.”

The FT famously shunned a presence in Apple’s App Store in order to have full visibility and control over customer data. “Because our mobile app is web-based, we are able to apply the same analytics as on desktop to campaigns on this platform, on- and offline, unlike pure ‘native’ offerings,” Eriksson says. This strategy doesn’t seem to have hurt, with mobile accounting for nearly a quarter of all new subscriptions and overall digital subscriptions to FT.com growing 31 per cent during 2013 to represent almost two-thirds of the publisher’s total paying audience.

“Our focus is on using engagement data intelligently to correlate the amount of time a brand message is exposed to our audience with the outcomes of the campaign. By matching a client’s content to FT articles through FT Smart Match we can improve campaign performance significantly.” Eriksson says that the FT works hard to ensure data protection is built into its products from the start and the company collaborates closely with technology and network providers to address any potential risks. No individual data is available internally, she adds, with analysis only made around general demographic cohorts.

Inrix, a big data analytics company working on building a huge ‘population analytics’ platform, is currently partnering with Havas on a smart city project in Oxford – a brief that seems somewhat out of the usual territory for a media agency. The project has been devised by Havas’ new chief data officer Mike Potts, who became the company’s first ever CDO back in February. He says he was appointed “to send a message to the market that we’re really serious about this”.

Matt Simmons, director of marketing for EMEA at Inrix, believes that data analysis is crucial to 21st century business. “Big data and the analysis of that data is also a catalyst for creating new and innovative services that can provide real value across a number of sectors,” he says. “Companies that use data to deliver better insights to customers and decision-makers stand a greater chance of differentiating themselves from competitors and driving their business forward in this technology-driven age.”

No Data?

Far from the smart use of data helping good companies distinguish themselves from the rest, some in the industry now believe that a full-blown ‘no data’ policy could start to be the true differentiator, identified as a trend to watch for 2014 by TrendWatching.com. “Brands will have to walk a fine line between offering consumers a valuable (and ideally seamless) service, and freaking them out with aggressive if not downright scary ‘services’. Yes, consumers want to feel served, but they don’t like to be watched.”

“Online services are actually starting to use privacy to promote their brand,” the ICO’s Rice flags. “Microsoft has just announced that they won’t do any targeted advertising for education products – now Google says they will do the same thing.” Pols welcomes this, adding: “I hope this means that in the future it’s going to be a more egalitarian battle than what it is now. I’d actually like services to allow me to pay but they say ‘this is not our business model’. This ‘free economy’ gives people no choice. You should be able to pay for stuff to keep your data private.”

Data legislation

In a landmark decision, the EU has now ruled that Google users have the ‘right to be forgotten’, with the search engine now facing an administrative task of truly unknown complexity and scale to adhere to this. Short of having a full Digital Magna Carta, something father of the internet Tim Berners-Lee demanded on the 25th anniversary of his invention, Europe has already begun the long process of revising its entire 1995 Data Protection Directive.

This is already tabled to include a more wide-ranging ‘right to be forgotten’ and while most of our commentators believe the new believe the new rules are going to be a positive thing, McAfee’s Samani says that any legislation brought in to protect citizens, and brands, from the threat of data loss, has to be realistic. “The ‘right to be forgotten’ is technically impossible. You have a digital tattoo once your data goes out there and once your data’s gone it’s gone.”

Pols believes that given that data is transferred from one continent to another at the click of a mouse, the only way to move forwards is to have global data legislation.“The US and UK get stuck with the word ‘privacy’ and as long as we find it difficult to define privacy, we can’t legislate for it. Data protection, favoured in the rest of the EU, is something totally different. Internationally, in the last six months alone, it feels like the Americans are starting to align with this. It’s certainly better than two years ago where in the US the attitude was ‘privacy is dead, just get over it’.”

“Europe’s going to lead this – spurred by legislation and informed by the continent’s recent history of fascism – and completely redrawing engagement lines between brands and consumers,” Anthony Mullen from Forrester adds. “And the press will have a field day when the flood gates open – way more than the EU cookie law. There will be a lot of pressure from journalists to get brands to change their behaviour.”

My Data?

The Boston Consulting Group (BSG) has estimated that the personal data economy could be worth €1trn (£820bn) in Europe by 2020, roughly 8 per cent of the combined GDP of the EU-27 countries. “For European businesses and governments, the use of personal data will deliver an annual benefit of €330bn by 2020, bringing growth to an otherwise stagnant economy,” a BSG report says. In its survey of 10,000 people worldwide, 78 per cent said they would use tools to control personal data if available. “Companies that excel at creating trust should be able to increase the amount of consumer data they can access by at least five to 10 times.”

Given the value now placed on data, some are now working towards offering citizens a way to actively sell this ‘new asset type’ and reap the revenue rewards themselves. Companies like Handshakes and Datacoup have begun to offer this on their own data marketplaces, but personal data on its own, as opposed to within a group of people ‘like’ you, appears to offer little value. The FT’interactive tool ‘how much is your data personal data worth?’ explains that data brokers already know your age, gender, postcode, ethnicity and education level, all worth a sum total $0.007. If you casually throw in that you’re a millionaire, that figure only goes up to $0.123.

Some individuals are now testing the power that the internet has over your data. Internet activist Shawn Buckles sold all of his personal records for €288 in a bid to highlight data security issues. He states on his website: “Privacy is gone. We gave it up, for no other reason but the thought that it’s useless. Why don’t we protect our rights?” Buckles was quickly followed on this mission by mum-to-be Janet Vertesi, who went to extreme lengths to hide her pregnancy from big data and was flagged as a criminal along the way.

The UK Government’s own Midata project is also working on ways for citizens to access their data for use for civic services. “The Midata programme is a voluntary programme working with companies in key sectors of the economy: energy, personal current accounts, debit cards and credit cards,” says Gemma Lobb from the Department for Business Innovation and Skills, which is backing the work. “The Government is focusing on areas where the data held will have the most value for consumers, either in terms of giving them access to the type of information that will help them make an effective switching choice, or where there is the potential for the data to drive services to empower them.”

People will eventually be able to download a transcript of their data and use it as part of the personal data economy, which is great if you trust the Government to help you manage your personal details. According to BCG, government is less trusted than brands on data management. The Midata programme itself does not have access to any data, Lobb explained, it’s working with brands so that they are encouraged to give back certain data that they hold on their customers. The team recently set up a consumer protection and trust work stream that is soon to report on its findings. “I worry about how we educate individuals of what are the additional risks are around giving people a full transcript in readable format of their personal data,” admits the ICO’s Rice. “Scammers and spammers will be onto this as well.”

The Government has wholeheartedly joined the open data revolution, even giving £10m grant funding  to London’s Open Data Institute, but questions remain around what political involvement does to the neutrality of data collection and dissemination. Plans to sell off NHS data have been “mishandled”, according to the chair of the panel set up to advise the NHS and ministers on the governance of patient information, while HMRC’s plan to sell of its data has been branded “borderline insane” by Conservative MP David Davis.


Although a complex area, it appears that words like transparency and consent are now coming into everyday vocabulary for marketers, policymakers and citizens, with seductive opportunities to collect data becoming increasingly heavily weighed against the potential to leave people feeling betrayed.

“Phase one was all about snooping – which was a great advantage for advertisers,” Forrester’s Mullen concludes. “In phase two we’re seeing more awareness and more controls. But we need to go through this to realign. Phase three will see much more automation, around wearables and contextual services, when people trust brands to do this for them. The nirvana of deeper, richer services will not come until we go through this pain.

“Privacy really is just a subset of this bigger topic – trust,” he adds. Trust is a much more positive thing to hang this change in the way that we use data on and I want to see this reframed as the trust debate.”

So it looks like we are in a transition. But we – people, government and business – are yet to really start talking to each other about, and truly understanding the consequences of, smartphone tracking, as Guardian editor Alan Rusbridger urges, less still the complexities of a full-blown debate about trust. And without this, yet more scandals, either through intention or oversight, are no doubt on their way.

Watching CITIZENFOUR on Friday was certainly one uncomfortable way to spend Halloween. Find a screening of the film here.

‘Leaky Apps’ Scandal: Where Does the Buck Stop?

Apps stock imageThis week’s revelations about the role that app developers and advertising networks may have (potentially accidentally) played in UK and US government spying raises very important questions for the mobile industry.

Aside from Rovio, which released a comprehensive statement assuring its users that it does not give data to spying agencies, and levelling blame at third-party networks, the silence from the industry has been deafening.

Google’s Doubleclick ads are among those served within Rovio’s Angry Birds, which implicates the company in this alleged haemorrhaging of personal details. Google is also an app owner, with its suite of productivity apps among the most widely used in the world, giving it even greater visibility of data and relevant security issues.

Google: No comment

Asked what the company made of the Wikileaks information, a Google spokesperson said: “We don’t have a comment on this.” When pressed on its responsibility to its users, Google added: “No one’s available for comment.”

Ad networks including Millennial Media and Nexage also serve ads within Rovio’s apps. Millennial Media’s EMEA content and communications manager Dave Ross-Tomlin, made a short statement yesterday. “There has been reporting over the last 24 hours about the collection of mobile data by government ‘spy’ agencies,” he said. “Let us be clear: Millennial Media has not and does not work with, nor pass information to, the NSA, GCHQ, or any other such agencies.”

The company said that it uses non-personally identifiable data provided by publishers – in this case, app developers – with the permission of users. It then adds additional filtering for regulatory compliance, relating to laws like the Children’s Online Privacy Protection Act. We were directed to their privacy policy but Millennial could not give any more detail about whether data could have been collected without them knowing and, if so, how this could be stopped in the future.

MMA: We take privacy seriously

It is not entirely clear within whose jurisdiction this lies and who should be held accountable if consumers’ privacy is infringed. While the Internet Advertising Bureau said it is unable to comment, Stephen Upstone, UK chair of the Mobile Marketing Association, a trade body for the industry, said that his organisation and its members take the issue of consumer privacy very seriously.

“I am not aware of any companies sharing of customer data accidentally or deliberately,” Upstone said. “The MMA takes an active role in encouraging regulation and best practice with the mobile marketing and advertising industry globally. We consult with brand marketers, advertising agencies, publishers, software and service suppliers on behalf of the industry and consumers.”

When asked who could be held responsible if data has been handed over to security services, purposefully of not, Upstone added: “Individual companies that handle data are responsible for ensuring it is properly handled, securely stored and that the laws and regulations are being respected. App developers who work with third-party suppliers and manage data are responsible for choosing vendors who are managing data properly.”

Rovio has said that it is now re-evaluating its work with ad networks as it considers how to ensure that data is not made so freely available in future, but without clear evidence of who has done what, many in the industry face having this key app ad inventory removed from their arsenal. And with little response from app developers and the ad networks they work with, it is difficult to know how the industry can stop this happening in the future.

ICO: We have raised concerns about US spying

We got in touch with a number of consumer protection organisations, including Consumer Future and Which?, but they were unable to comment as they did not have the relevant expertise. An Information Commissioner spokesperson said that app developers must comply with the requirements of the Data Protection Act, including being open about how data will be used and that data collection is not excessive, on which the organisation has created guidelines.

On the NSA and surveillance, the ICO spokesperson said: “There are real issues about the extent to which US law enforcement agencies can access personal data of UK and other European citizens. Aspects of US law under which companies can be compelled to provide information to US agencies potentially conflict with European data protection law, including the UK’s own Data Protection Act. The ICO has raised this with its European counterparts, and the issue is being considered by the European Commission, who are in discussions with the US Government.”

This is just the latest in a long list of examples of government infringing on civil liberties, so are people right to ask whether privacy itself is a thing of the past? Online security firm Bitdefender says that users who embrace privacy are ‘denied access to modern technology’.

Bitdefender: Internet is a pool of data waiting to be mined

“Many of the apps that we install on a daily basis are paid for with our private details,” said Alexandru Catalin Cosoi, chief security strategist at Bitdefender. ”On one hand, advertisers are becoming greedier and greedier, because the more personal information they get, the more accurate their profiling, and on the other hand, developers are better paid if they accept the task of getting more information for the advertiser.

“It looks like a win-win situation, but the end-user has the most to lose in the case of a data breach, and what’s most harmful is that most of the time they aren’t even aware that their private information is being harvested. Social networks are booming and a good chunk of users either have no idea how to, or do not care about, safely using these. The internet has become a pool of personal information ready to be mined.”

It was announced yesterday that Ed Snowden, the man who did some data mining of his own when he leaked documents about government spying to Wikileaks, has been nominated for the Nobel Peace Price. But the prize is not without its critics, with past nominees including Joseph Stalin.

In an interview in December Edward Snowden said: “I didn’t want to change society. I wanted to give society a chance to determine if it should change itself.” These revelations look like a good opportunity for the mobile industry to do some soul-searching of its own.

We reached out to a number of ad networks, including Nexage and Medaiplex, who did not get back to us. Adblock, creators of software to stop ads, declined to comment and App Annie, the app data analytics platform that tracks 3.9m apps, said it ‘may be next week when they engage with the question’. We are awaiting further comment from a number of other organisations. 

Written for Mobile Marketing Magazine and first published here:  http://mobilemarketingmagazine.com/leaky-apps-scandal-where-does-the-buck-stop/#vouAJQ4eioHpUut1.99

Rovio Points to Ad Networks Over Data Leaks to NSA and GCHQ

Angry Birds CartoonAfter revelations in the Guardian today, on the EU’s international Data Protection Day no less, that Angry Birds and other ‘leaky’ phone apps like Google Maps have been targeted by NSA and GCHQ for private user data, the app developer Rovio has responded by pointing the finger at third-party ad networks.

The allegations about the security of popular apps relate to documents leaked by Edward Snowden to Wikileaks and subsequently passed on to the Guardian, the New York Times and ProPublica.

They show that apps, where commercial data is collected by developers or advertising networks, are considered a target for spies, with Angry Birds used as a case study. Information that may have been intercepted includes phone model and screen size, personal details like age, gender, sexual orientation and sexual preferences, and location data, including live Google Maps queries.

‘Anyone using Google Maps on a smartphone is working in support of GCHQ’ 

The documents do not show how much data has been collected, stored or searched, or how many people are affected, but a document from 2008 highlighted by the Guardian explains that the level of access ‘effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system’. And apps have certainly come a long way since then. The NSA has spent more than $1bn in its phone targeting efforts, the Guardian reports.

Rovio, who spoke to Mobile Marketing last week about its plans for the Angry Birds apps, which have been downloaded more than 2bn times to date, has now issued a statement. The company says that it ‘does not share data, collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world’.

“The alleged surveillance may be conducted through third-party advertising networks used by millions of commercial web sites and mobile applications across all industries,” Rovio said. “If advertising networks are indeed targeted, it would appear that no internet-enabled device that visits ad-enabled web sites or uses ad-enabled applications is immune to such surveillance. Rovio does not allow any third-party network to use or hand over personal end-user data from Rovio’s apps.”

‘We will have to re-evaluate working with these networks’

Mikael Hed, CEO of Rovio Entertainment, added: “The most important conversation to be had is how to ensure user privacy is protected while preventing the negative impact on the whole advertising industry and the countless mobile apps that rely on ad networks. In order to protect our end users, we will, like all other companies using third-party advertising networks, have to re-evaluate working with these networks if they are being used for spying purposes.”

We have reached out to ad networks working with Rovio, including Millennial Media, Nexage and Google’s DoubleClick, along with the relevant industry bodies and privacy campaigners to comment on the story. Watch this space.

Written for Mobile Marketing Magazine and first published here: http://mobilemarketingmagazine.com/rovio-points-to-ad-networks-over-data-leaks-to-nsa-and-gchq/#LVXpgpxoBCtYwy80.99