About me
Archive
About me

Why the Cambridge Analytica story is a warning to Sky

Over the past week or so, Cambridge Analytica and Facebook have barely been out of the news. The central thrust of the story is that people consented to share information with Facebook and apps hosted on Facebook, which has then been used to target advertisements. It is claimed that these targeted advertisements influenced the US Presidential Election and the UK’s EU membership referendum. Despite frequent uses of phrases like “hack” and “data breach” in the news coverage, none of this actually involved anything other than use of information for which people had given consent—but the consent may not have been truly informed consent, because people simply clicked “Agree” without reading. (This old story, in which users of free wifi universally agreed to hand over their eldest child in exchange for internet access, feels relevant here.)

To anyone interested in technology, nothing in this story is particularly surprising, and I think its fair to characterise most of the tech press as struggling to cover it. Even Carole Cadwalladr, the journalist credited with highlighting this story, reportedly sees herself as a feature writer who translated something well-known among the well-informed into a story with mass appeal, rather than uncovering anything new.

To me, that the adverts on Facebook feeds are not randomly chosen seems self-evident. And yet, there is plenty of evidence that many people don’t even recognise adverts in their Facebook feeds, let alone wonder how they were chosen. The coverage of Cambridge Analytica seems to suggest that many users are agape at the revelation that Facebook adverts exist and are targeted at users. In some quarters, the anger at Facebook is offset by the fact that the service is free to use and “has to make money somehow”.

If I were an investor in Sky, I would be worried right now. Unbeknown, I suspect, to the vast majority of its users, Sky targets TV ads via a platform called AdSmart. Sky boxes download adverts overnight and then play back commercials targeted at households in ad breaks. Or, as they put it,

With Sky AdSmart different ads can be shown to different households watching the same programme.

Sky uses an enormous amount of probabilistic data on subscriber households to enable this targeting, including everything from household income, the age of cars owned by household members, the month of renewal of insurance policies, the pets owned by householders, whether subscribers are pregnant, and even the compass direction in which the householder’s garden faces. Sky promotes this to advertisers as an

in-depth knowledge of Sky households … There are thousands of combinations to choose from when selecting the audience that sees your ad. Households can be selected based on factors such as age, location, life style or even if they have a cat … allowing advertisers to cherry-pick their audiences.

If people don’t expect targeted advertising on a platform where they proactively share much of their life, then I suspect that they are even less expectant of being profiled and targeted with advertising while they are catching up on the latest soaps. While folk post about their cats on Facebook with alarming frequency, I think many people would be upset to learn that Sky knows whether they own a pet, let alone that this knowledge is used to show them relevant TV ads. And, of course, users pay Sky hefty subscription fees each month, negating the “has to make money somehow” mitigation.

Nobody can claim that Sky is anything other than open about AdSmart, and I am quite certain that they will have legally compliant consent from subscribers as part of the terms and conditions of their service. But all of that is also true of targeted advertising on Facebook. To me, AdSmart feels intuitively like a programme ripe for “exposure” through a talented journalist like Carole Cadwalladr. While the press has less of an incentive to attack Sky than it does to attack Facebook, I would be worried if I were Sky.


The picture at the top is based on an original posted on Flickr by Sarah Joy. I’ve modified it and used it here under its Creative Commons licence. The Sky AdSmart picture in the middle is a promotional image owned by Sky Group, used here under the ‘fair dealing’ exception to copyright law.

This 2,422nd post was filed under: News and Comment, Posts delayed by 12 months, , , , .

Blossom

This 2,421st post was filed under: Photo-a-day 2019.

Icon within an icon

This 2,420th post was filed under: Photo-a-day 2019.

Mercury and Psyche

This 2,419th post was filed under: Photo-a-day 2019.

North Sea

This 2,418th post was filed under: Photo-a-day 2019.

Passwords suck

The Washington Post’s Hayley Tsukayama recently pointed out out that in the latest version of Windows,

if you go through setup as recommended, you’ll never get a password option.

Passwords, we can surely agree, are the bane of modern digital existence. On a big-picture level, insecure passwords cause an estimated 80 percent of breaches, according to a 2017 report from Verizon. On a human level, they’re paralyzing; right when you need to access your utility bill, you can’t remember if you replaced the “a” with a 4 or an @ symbol.

Indeed, we certainly can agree: passwords suck. I seemingly have quite a few more online accounts with passwords than the average person. It’s simply impossible to have unique passwords for all these accounts and have any hope of remembering them. So for many years, I used Lastpass to manage my passwords (though I moved elsewhere after their significant data breach), and turned on two-factor authentication wherever I could. I even used a YubiKey for a bit, until I got fed up with having to fetch my keys to log in to stuff. Despite this, I was still pretty lazy, and typically used the same password (or a simple derivative of it) to sign up for new services, which meant that–despite all advice to the contrary–many of my accounts ended up with the same password.

I thought this was “alright enough” security. I had unique passwords for accounts I saw as “high risk”, such as banks and email accounts, but “so what” if some loyalty card account shared a password with some other account. I didn’t think I cared. Even when I knew that various company’s data breaches had exposed my information, I didn’t think I needed high security on most of my accounts.

Then, in a matter of months, three things happened that changed my mind.

First, somebody used my details to spend a couple of quid on my Greggs app. I don’t actually use the Greggs app very often, so it took me quite a while to notice that my account had been drained of the small change it contained. And I wasn’t all that bothered: I was mostly amused that someone had gone to some effort to steal a small amount of money to spend on pastries. I didn’t even report it, I just closed down the account. (Sidenote: yes, I’m a public health consultant, and yes, I had an account on the Greggs app. Deal with it.)

Second, I noticed that dodgy advertising text had been inserted into a number of posts on my blog. This did irritate me. It turns out that I had both used a frequently repeated password to secure the database that runs the site, and also left this in a publicly accessible place. I’m fairly certain that it was the former rather than the latter that led to the problem. In some cases, the miscreant had also deleted the backups of posts, so I couldn’t do a simple restore to overcome the problem: I had to do it manually. And I still occasionally come across bits of inserted text that I missed when cleaning up.

Third, someone knicked £8 of Costa points from my loyalty card. This also annoyed me–albeit slightly irrationally given that I rarely bother to redeem the points, hence having £8 built up. Again, used a password that I’ve often used elsewhere to secure this account. I did report this, and Costa refunded the points and (so they told me) investigated the fraud.

What’s the point of all this? I suppose I realised that I cared more about many of my accounts than I thought I did. The convenience of using an easy password meant that my security was a bit lax around the edges, and I lost out around those edges. The system of using passwords to secure accounts inappropriately rewards lax behaviour on a day-to-day basis, as it is less hassle than securing things properly.

I’ve since used my password manager properly, changing all of my accounts to long random sequences of numbers, digits and symbols that even I don’t recognise, and got into the habit of generating new secure passwords every time I’m asked to set one up. This takes a very small amount of hassle, but certainly more hassle than a go-to easily remembered reusable password… until the account is breached, of course.

There are still settings where I maintain that a long string of characters as a password is not particularly helpful. For example, I was at a conference at the Royal Society of Medicine the other day where the delegate wifi password was long and complex. Who were they trying to keep out? Why was any password even necessary? But at the same time, it’s becoming clearer to me that lax security is no longer really good enough, even for seemingly insignificant accounts.

It seems to me that ‘password management’ has gone from being something that ‘techy people’ need to think seriously about, to something we all need to think about. And let’s be honest, most of us won’t, at least most of the time. So it’s always good to hear that passwords are being ‘phased out’. The sooner the better, as long as the alternative isn’t too much hassle!


The image at the top is by Christiaan Colen on Flickr, used under Creative Commons licence.

This 2,417th post was filed under: Posts delayed by 12 months, Technology, , , .

Marine Way Bridge

This 2,416th post was filed under: Photo-a-day 2019.

The content of this site is copyright protected by a Creative Commons License, with some rights reserved. All trademarks, images and logos remain the property of their respective owners. The accuracy of information on this site is in no way guaranteed. Opinions expressed are solely those of the author. No responsibility can be accepted for any loss or damage caused by reliance on the information provided by this site. This site uses cookies - click here for more information.