Privacy Questions: Using “_TheCloud” at The Barbican #htb2013 #stacktivism

The public wifi access at The Barbican is provided by “The Cloud” which was acquired by BSkyB in January 2011. BSkyB is 39% owned by 21st Century Fox (previously part of News Corporation) whose Chairman and CEO is Rupert Murdoch.

Since seeing the kerfuffle about City recycling bins (now no longer) tracking smartphones, I’ve been thinking more about what data network-connected devices pass around and record.

Here’s the data they “may” hold on me

So I looked at The Cloud’s Privacy Notice in conjunction with my Account Details page, which together, for me, raise lots of questions. They hold:

  • Information you have given us, including on our websites.
    • OK that’s my e-mail address and password, Name, Surname, House Name or Number, Postcode, Date of Birth. And whether I’ve opted out of being contacted “about products and services you may like.”
    • Well that’s the data that they remind me that I’ve given them on my account details, but I couldn’t tell you whether I filled other fields in when I first signed up years ago.
  • Information about our services you’ve used.
    • Looking at my details, I can see my last 14 logins going back to 25th June (including the time I absent-mindedly got on the Giraffe wifi in the Brunswick Centre but was actually in Starbucks)
    • There’s a menu for “Product Device Management” but I don’t seem to have any.
    • There’s also an empty screen for “Transaction History” but I think that means paying them anything, which I haven’t.
  • Information provided by other companies who have your permission to share information about you
    • Yikes! All those incorrectly ticked or unticked opt-out/opt-in boxes. The international conspiracy of marketing data collectors will be after me as will the lackeys of PRISM.
  • Information we collect using cookies stored on your device. For more information on cookies and how to manage them, please see our section on ‘Cookies’.
    • So looking at the cookies on the browser I was using yesterday there are cookies from and from – the first lot appear to be tied to Google Analytics. The others are called “jsessionid”, “mycloudid” & “routeid” – presumably these identify me as a previous user and tell you something about my latest session.
  • Your IP address (this is a number that identifies a specific network device on the internet and is needed for your device to communicate with websites).
    • Which is dynamically allocated by the router? But you keep a note of which one I was using for a particular session?
  • Technical details about your computer or access device.
    • Could be anything, but I’m assuming at least browser, OS, MAC address, device make & model etc. How about which ports I have open during a session?
  • The times and dates of your access to our service.
    • Naturally
  • The locations of your access to our service.
    • Yes, I’d expect so.

And this is how they will *may* use it

  • We may use it for market research.
    • You don’t say!
  • We may also need to use it to pass to others so we can keep to any legal or regulatory requirements, to protect or enforce our rights or the rights of any third party, in the detection and prevention of fraud and other crimes, and for the purpose of protecting national security.
    • Ah the “machines of loving grace”!
  • We may pass your information to anyone who takes over our business for them to use for the purposes set out in this privacy notice.
    • Phew! Couldn’t be anyone worse than Murdoch, surely 🙂

So do I stop using this service? Are we going to build our own mesh network and implement totally secure and commercially-independent communications networks for the time we’re here? I’m afraid it’s about as likely as me growing my own carrots and keeping a pig on our balcony as a way of avoiding the corporate evils of the supermarkets.

But it points to a gap in the market – ethical public ISPs that have a VRM attitude to our data.