UPDATE:

- Apple’s Q&A on the iPhone geo services.

- Q&A: Jobs and Apple Execs on Tracking Down the Facts About iPhones and Location

Christopher Poole:

Anonymity allows users to reveal themselves in a “completely unvarnished, unfiltered, raw way”.

Yes, but the social constraints of real-ID public expression help us to behave ethically and correctly. Anonymity should be the exception, not the rule.

For sale: Personal details of millions of Ladbrokes gamblers, offered to the MoS by a mysterious Australian

The confidential records of millions of British gamblers who bet with top bookmaker Ladbrokes have been offered for sale to the Mail On Sunday. The huge data theft is now at the centre of a criminal investigation after this newspaper was given the personal information of 10,000 Ladbrokes customers and offered access to its database of 4.5 million people in the UK and abroad.

(more…)

This is no fake claim, as attested to by the fact that a “taster” of the full database was handed over by the culprit, fully ten thousand names and highly confidential personal details for the purpose of whetting the potential client’s appetite.

Hey-ho. The gambling industry at its predictable worst.

These incidents are not new – I reported on an occurrence a few years ago in which an online gambling industry leader touted a database of 100,000 UK players to the highest bidder on his forum. Neither are they remotely hard to believe; while the average customer service representative might struggle to access his company’s full customer list, an employee higher up the chain in the IT department should have no such difficulty – a quick copy, paste and save…and it’s time to start lining up the buyers. I daresay the names of four and a half million bona fide gamblers would fetch a very fine price.

And while our data watchdog, the ICO, huffs and puffs its righteous indignation, I’m sure they know there really is very, very little you can realistically do about this. Just one employee with access is all you need.

It serves as a reality check: when you put your details online, they are just that: online. Assume that, at some future point, someone will be hawking your phone number, email and physical address to the highest bidder.

I commented also in my Ladbrokes data theft post, and see also the Racing Post’s Ladbrokes reassure users over data protection article.

Oh well, I don’t know; maybe privacy is overrated.

- FireFox: https://addons.mozilla.org/en-US/firefox/addon/6623

- MicroSoft Windows: http://www.ccleaner.com/

- Macintosh OS: http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-for-os-x/

I had 120 of those fucking Flash cookies. Removed all of them. Bastards.

Another useful aspect of the likes of Moneybookers and Neteller is their incorporation in the UK, putting then under the control of the FSA and answerable to all aspects of UK law, including the 1998 Data Protection Act. They have access to a considerable amount of sensitive customer data – credit cards, bank accounts and all manner of identity verification documentation – so the tight legal framework they are bound by is important for customer peace of mind.

But how secure is the data?

Just over a year ago I started having doubts, when a Moneybookers customer reported that his account had been closed on the basis of information received from a casino client, but without ever being notified by Moneybookers as to exactly what the information was – I reported on this my Moneybookers: potential breach of UK law article.

If you look at the “rights of data subjects” section of the Data Protection Act, this bit jumps out:

7 Right of access to personal data

(1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled -

(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

(b) if that is the case, to be given by the data controller a description of -

(i) the personal data of which that individual is the data subject,

(ii) the purposes for which they are being or are to be processed, and

(iii) the recipients or classes of recipients to whom they are or may be disclosed,

(c) to have communicated to him in an intelligible form -

(i) the information constituting any personal data of which that individual is the data subject, and

(ii) any information available to the data controller as to the source of those data

It seemed to me that these clauses had been breached, as the data had not been disclosed to the “data subject” – customer – in question.

More recently, another possible breach came to my attention: the customer of one Cherry Red Casino had winnings confiscated on the basis of information apparently received from Moneybookers. I requested and reviewed his email correspondence with the casino in question, and posted extracts in my Cherry Red Casino and Moneybookers article. Most worrying was this revelation:

We have worked closely with third parties to ascertain which players are genuine and which are fraudulent and yours has come back as being connected to other players in Europe and as having transferred funds between Moneybookers accounts.

We are certain that the information we had received from Moneybookers and third parties constitute to the answers we have given players.

So, confidential information of some kind or another was evidently disclosed, by the payment solution to the gambling operation, with no notification to the player.

Another player reported publically, on another similar case, in the Gambling Industry Association Rushmore Casino discussion. Here, an affiliate representative gave a little more detail about the nature of the information:

Moneybookers…only confirmed with us which Moneybookers email addresses were linked and had transferred funds between themselves, it was a yes or no answer and included no further private or confidential banking information or otherwise. Moneybookers…confirmed that these accounts were in fact connected and…transferred funds between their accounts also.

There are a few problems here.

In the first place, confidential information is supposed to be genuinely confidential, and informing a third party of aspects of a customer’s account and the people to whom they make transfers is not an aspect of “confidentiality” that I am aware of. The customer in question was at no point notified by Moneybookers of the disclosure, in whatever format, of his account details to third parties.

I am not a lawyer, but this does not look right to me, insofar as it appears to contravene the section of the DPA that I quoted above.

In the second place, and marginally off the question of confidentiality but highly relevant to customers of these payment solution providers and the industry as a whole, is that this information may be leading to bogus conclusions – the fact that Customer A transfers funds to customers B and C does not necessarily make Customer A guilty of an illegal act. Whether or not the customer is guilty, the correlation between the guilt and the account activity in question is by no means absolute.

Here is a possible scenario:

Casino: “We believe these two players are connected (and therefore guilty of activities we do not allow); can you confirm this?”

Moneybookers: “Yes; the two accounts in question have transferred and received funds”.

On this basis, to summarise my above points:

1) This disclosure to a third party of a customer’s account activity may be leading to entirely erroneous conclusions.

2) More importantly: at no point was the customer – or rather, customers – informed of these behind-the-scenes information exchanges. This appears to me, in line with simple reasonable behaviour, unacceptable, as one ends up being convicted with no right of defence. But more importantly, the nature of the disclosure in question does not appear to me to adhere to the laws I quoted above.

I have, myself, carried out a few “person to person” transfers with Neteller, the payment solution I use. I would hope that Neteller never disclose this aspect of my account, or any other, to third parties.

Whether or not Moneybookers discloses aspects of my account to third parties is irrelevant to me. I no longer use their services.

I will be forwarding this article to Moneybookers for their comments.