Shadow profiles and my Heritage security breach

Shadow profile

I received a email from have have I been pwned that my email address and password had been exposed in breach from My Heritage.  Most breaches are somewhat worry-some but as I don’t use the same passwords because I have a password manager with lengthy random passwords; its less of a problem.

MyHeritage Statement About a Cybersecurity Incident

What was shocking about the myheritage breach for me, was that I have never logged in to or used myheritage ever. If I had an account, I would have an entry in my password manager. To confirm this I have requested my data via GDPR.

I believe a member of my large family entered my email address and then added details about me into myheritage, therefore creating a shadow profile for me to log into. It makes sense, as others in the family can fill in details they have for me. So the password which was leaked isn’t even set by me, but rather auto generated by myhertiage? The only way I could get access to the account was via a password reset. Once in I deleted my account straight away, but I thought about it some more.

The leaked/breached password and login would give the buyer access to any information my family member entered including date of birth, relationships with other members of the family, etc.

If I’m right this is deeply troubling and a worrying precedent!

Perceptive theme park rides?

Tony tweeted me about this thrill machine which uses body data to influence how the ride operates. The link comes from Mashable and I was able to trace it back to the original

“…while building this attraction I also wanted to change the usual one-sided relation – a situation where the body is overwhelmed by physical impressions but the machine itself remains indifferent, inattentive for what the body goes through. Neurotransmitter 3000 should therefore be more intimate, more reciprocal. That’s why I’ve developed a system to control the machine with biometric data. Using sensors, attached to the body of the passenger – measuring his heart rate, muscle tension, body temperature and orientation and gravity – the data is translated into variations in motion. And so, man and machine intensify their bond. They re-meet in a shared interspace, where human responsiveness becomes the input for a bionic conversation.”

https://danieldebruin.com/neurotransmitter-3000

Its a good idea but unfortunately couldn’t work on a rollercoasters, which is my thing. Or could it? For example everyones hand up in the air means what? The ride goes faster? How on earth does work? How meaningful would this be if you could actually do this?

Its one of the research questions we attempted to explore in the living room of the future. How can you combine different peoples personal data to construct a experience which is meaningful and not simply a medium of it all.

These global changes don’t seem meaningful or so useful? Maybe its about the micro changes like mentioned previous.

Of course others have been working around this type of things too.

Over 15 years of Flickr data

All those files to download

Its been a long haul but finally Flickr is beyond use for me. I briefly tried Flickr pro for a while but theres so many other options now. Its a shame but Flickr went through a lot of trouble at the end but was saved from Yahoo craziness by snugmug. But even looking at the pro account prices, I decided that after…

It was time to leave Flickr and just let it start deleting my photos, which I mainly had backed up in multiple places anyway.

I was quite impressed with Flickr’s data portability option, for example the uploaded files are exactly the same. But it would have been great if they embedded the tags into the original EXIF data. However it seems they kept the tags in account data. So with some work, it would be possible to pull the whole lot together again? I’m actually surprised no ones already done this?

10 years of data surveillance challenge

So many people are doing the Facebook 10 year challenge and I’m so happy to see the Wired’s piece asking the question of what Facebook could be doing with the photos.

Of course some people think its all blown out of proportion, cue Jeff Jarvis on Twit recently. As Leo says at the end of the clip, Facebook and others will lie and claim one thing, but from past experience we have caught them lying.

More gender issues I’ve spotted

http://nobaddatesjustgoodstories.tumblr.com/post/173444153673

I had planned a series of blog posts about different gender items I’ve seen in blog posts, the news , etc but never got the time. Instead I kept adding them to wallabag and tagging them to blog.

So think of this blog post as a series of micoblog with little comments after each link.

No baby slings or bananas: are these the new fragile masculinity rules?

This one sums up so many things I hear and can’t stand. Shes right, how fragile is masculinity that eating a banana in a certain way can cause idiots to worry. Its frankly so stupid I can’t bring myself to say anything more that what I’ve said before.

We can’t want gender equality and still expect guys to pay for the first date and Viewpoint: ‘Why most men should pay on first dates’

Dare I say anything more…? To be fair its been a long time since I mentioned who pays on the first date. But to be fair there is arguments and tensions, which is why it keeps coming up. For example if you take the massive gender pay gap and then exercise it in who pays for the bill. Most heterosexual dates would have the man paying 20-33% more for the bill. This was noted to me and I pointed out the minority pay gap is pretty awful too making things even more tricky on a first date.

How thrillers offer an antidote to toxic masculinity and Flirting and you’ll be called a rapist? Oh please grow up, Superman

Lessons in how to be a good man? Maybe? Not so sure as the old-fashioned view from Superman actor Henry Cavill says it all. Generally the men in  thrillers I’ve seen, might be better than the toxic masculinity you see now but not exactly enlighten to feminism.

What Do Men Think It Means To Be A Man?

So this is very interesting research. I originally heard the love, sex and money issue a while ago, but didn’t dig into the survey till recently.

When I read,

Pop culture was a source of inspiration for an understanding of manhood for younger men (42 percent of those age 18 to 34), while only 17 percent of men 35 to 64 and 12 percent of men 65 and over said the same.

My instant thought was something of a worry, as I’m not seeing the best examples in pop culture (although I have to admit I don’t spend much time in pop culture so maybe I’m automatically biased).

The society pressure and daily concerns was another key one, which I’d love to have similar results from a decade ago and a decade before that.

The question How would you say it’s an advantage to be a man at your work right now? Blew my mind…

59% of men surveyed didn’t think Men are taken more seriously, Men make more money, Men have more choice, Men have more professional development opportunities, Men generally have more support from their managers, Men are explicitly praised more often?

This is delusion at its worst, even Even with the #metoo movement making this super clear. But it is consistent with a conversation I had in my barbars a while ago to be fair, when I mentioned going to see the Guilty Feminist live recording in Liverpool.

All of the survey data is on Github, which feels like could be more data to add to the Modern Romance reddit data. Some of this may appear in my book one day.

A spy under the tree for the holidays?

The Observer on IOT and spying

Quite enjoyed Guardian’s piece about the raff of home iot devices coming to the home these holidays.

If you’ve so far withstood the temptation to install a smart speaker in your home, worried about the potential privacy pitfalls and a bit embarrassed about the notion of chatting aimlessly to an inanimate object, brace yourselves. This Christmas, the world’s biggest tech giants, including Amazon, Google and Facebook, are making another bid for your living room, announcing a range of new devices that resemble tablets you can talk to.

It was a real welcome surprise to read/hear Alexandra Deschamps-Sonsino too. Her new book Smarter Homes: How Technology Will Change Your Home Life is pretty much on the money.

“It’s very clear what they’re trying to do: sell you more stuff through third-party use of your own information,”

The fear about whether or not such devices are actually always on causes some users to relegate their smart speakers to corridors. “Think about where in the home you want to use these things, particularly if you think they might be listening all the time,”

I had the joy of capturing some of Alexandra’s early thoughts while putting together the ethics of personal data video interviews back in 2015.

I think the only thing missing from the article is a link to Mozilla’s buyers guide, which charts in a friendly consumer fashion whats actually going on underneath the surface of the iot devices we may get over the holiday period.

The Living Room of the Future at the V&A Museum – this weekend!

The weekend of the 22-23rd September 2018, the living room of the future will be at the London Design Festival’s Digital weekender at the V&A Museum.

Tickets are still available but there is a waiting list for certain times. Of course if there is space we will add you to the audience, but we do have a physical limit on each showing.

Come and visit us and give your views… See you there!

Data-portability and the data transfer project?

data transfer project

Its over 14 years since the dataportability project was founded by a bunch of well meaning people including myself. It was a challenging time with vendor lock, walled gardens and social guilt trips; to be honest little changed till very recently with GDPR.

Data export was good but user controlled data transfer is something special and one of the dreams of the data portability project. Service to service; not because there was a special agreement setup between the services but because you choose to move of your own freewill; makes so much sense.

This why I was kind of sceptical of the Google data transfer project. But on deeper look its pretty good.

In 2007, a small group of engineers in our Chicago office formed the Data Liberation Front, a team that believed consumers should have better tools to put their data where they want, when they want, and even move it to a different service. This idea, called “data portability,” gives people greater control of their information, and pushes us to develop great products because we know they can pack up and leave at any time.

In 2011, we launched Takeout, a new way for Google users to download or transfer a copy of the data they store or create in a variety of industry-standard formats. Since then, we’ve continued to invest in Takeout—we now call it Download Your Data—and today, our users can download a machine-readable copy of the data they have stored in 50+ Google products, with more on the way.

Now, we’re taking our commitment to portability a step further. In tandem with Microsoft, Twitter, and Facebook we’re announcing the Data Transfer Project, an open source initiative dedicated to developing tools that will enable consumers to transfer their data directly from one service to another, without needing to download and re-upload it. Download Your Data users can already do this; they can transfer their information directly to their Dropbox, Box, MS OneDrive, and Google Drive accounts today. With this project, the development of which we mentioned in our blog post about preparations for the GDPR, we’re looking forward to working with companies across the industry to bring this type of functionality to individuals across the web.

All sounds great and the code is open source on Github for anyone to try out. The paper is worth reading too.

However! The devil is in the data or rather the lack of it. As the EFF point out theres no tracking data exchange, the real crown jewels. The transfer tool is good but if the services don’t even share the data, then whats the point?

GDPR dating information update

Hackers movie

With GDPR I send out emails to OKCupid, Plenty of Fish, Tinder and others. So far I’ve only gotten responses from POF and OkCupid. Which means Tinder and others have about a day or so to get back to me with everything before I can start to throw down some fire.

Before I headed on holiday, I got a message from POF then OKcupid a day later, saying they need the request from the email which is on the account. Fair enough, so I forwarded each email to that email address and replied all to myself and to them but from that email account address.

A few days later I got emails, first from POF and then OKCupid.

You have recently requested a copy of your PlentyofFish (“POF”) personal data, and we’re happy to report that we have now verified your identity.

We are attaching a copy of your personal data contained in or associated with your POF account.  The password to access the personal data will be sent in a separate email.

By downloading this data, you consent to the extraction of your data from POF, and assume all risk and liability for such downloaded data. We encourage you to keep it secure and take precautions when storing or sharing it.

The information contained in this archive may vary depending on the way you have used POF. In general, this information includes content and photos you have provided us, whether directly or through your social media accounts, messages you have sent and other data you would expect to see from a social media service like POF.

Please note that there is some information we cannot release to you including information that would likely reveal personal information about other users. Those notably include messages you received on POF, which are not provided out of concern for the privacy of the senders.

Sincerely,

POF Privacy Team

Then similar from OKcupid, which makes sense being the same company really.

Dear Mr. Forrester:

You have recently requested a copy of your OkCupid personal data, and we’re happy to report that we have now verified your identity.

We are attaching a copy of your personal data contained in or associated with your OkCupid account. The password to access the personal data will be sent in a separate email.

By downloading this data, you consent to the extraction of your data from OkCupid, and assume all risk and liability for such downloaded data. We encourage you to keep it secure and take precautions when storing or sharing it.

The information contained in this archive may vary depending on the way you have used OkCupid. In general, this information includes content and photos you have provided us, whether directly or through your social media accounts, messages you have sent and other data you would expect to see from a social media service like OkCupid.

Please note that there is some information we cannot release to you including information that would likely reveal personal information about other users. Those notably include messages you received on OkCupid, which are not provided out of concern for the privacy of the senders.

Sincerely,

OkCupid Privacy Team

So on my train journey from Stockholm to Copenhagen, I had a look inside the Zip files shared with me. Quite different, I’d be interesting to see what others will do.

  • Forrester, I – POF Records.zip
    • UserData.json | 6.2 kb
    • UserData.pdf | 40.5 kb
    • Profile_7.jpg | 30.1 kb
    • Profile_6.jpg | 25.0 kb
    • Profile_5.jpg | 17.4 kb
    • Profile_4.jpg | 18.8 kb
    • Profile_3.jpg | 26.6 kb
    • Profile_2.jpg | 11.7 kb
    • Profile_1.jpg | 30.7 kb
  • OkCupid_Records_-Forrester__I.zip
    • Ian Forrester_JSN.txt | 3.8 mb
    • Ian Forrester_html.html | 6.6mb

As you can see quite different, interestingly no photos in the OKCupid data dump, even the ones I shared as part of my profile. In POF the PDF is a copy of the Json file, which is silly really.

So the Json files are the most interesting parts…

Plenty of Fish

.POF don’t have much interesting data, basically a copy of my profile data in Json including Firstvisit, FirstvisitA, etc to FirstvisitE complete with my ip address. I also can confirm I started my profile on 2012-01-25.

Then there is my BasicSearchData and AdvancedSearchData  which includes the usual stuff and when I LastSearch ‘ed and from which IP address.

Nothing else… no messages

OkCupid

OkCupid has a ton more useful information in its Json. Some interesting parts; I have logged into OKCupid a total of 24157 times! My status is Active? My job is Technology?  The geolocation_history is pretty spot on and the login_history goes from July 2007 to current year, complete with IP and time.

The messages is really interesting! They decided to share one of the messages, so only the ones you send rather what you received. As the messages are not like emails, you don’t get the quoted reply, just the sent message. Each item includes who from (me) and time/date. There are some which are obviously a instant massager conversation which look odd reading them now. In those ones, theres also fields for peer, peer_joined, time and type. Its also clear where changes have happened for example when you use to be able to add some formatting to the message and you use to have subject lines.

Some which stick out include, Allergic to smoking?, insomnia, ENTP and where next, The Future somewhat answered, So lazy you’ve only done 40 something questions, Dyslexia is an advantage, But would you lie in return? No bad jokes, gotland and further a field, Ok obvious question, etc.

Next comes the photos (My photos, no one elses)

"caption": "OkCupid's removal of visitors is so transparent, I don't know why they bothered to lie to us all?", 
"photo": "https://k1.okccdn.com/php/load_okc_image.php/images/6623162030294614734", 
"status": "Album Picture Active", 
"uploaded": "2017-08-08 19:16:20"

Of course the images are publicly available via the url, so I could pull them all down with a quick wget/curl. Not sure what to make about this idea of making them public. Security through obscurity anyone?

Stop screwing with OKCupid
As long as you can see the picture above, OKCupid is making my profile pictures public

Now the images strings seems to be random but don’t think this is a good idea at all! Wondering how it sits with GDPR too, also wondering if they will remove them after a period of time. Hence if the image a above is broken, then you know what happened.

Then we are on to the purchases section. It details when I once tried A-list subscription and when I cancelled it. How I paid (paypal), how much, address, date, etc… Its funny reading about when I cancelled it…

"comments": "userid = 7367007913453081320 was downgraded to amateur", 
"transaction": "lost subscription",

The big question I always had was the question data. Don’t worry they are all there! For example here’s just one of mine.

{
"answer_choices": {
"1": "Yes", 
"2": "No"
}, 
"prompt": "Are you racist?", 
"question_id": 7847, 
"user_acceptable_answers": [
"No"
], 
"user_answer": "No", 
"user_answered_publicly": "no", 
"user_importance": "mandatory"
},

After all those questions, theres a bunch of stuff about user_devices I’ve used to log into OkCupid over the years going right back. Stuff about preferences for searches, etc.

Going to need some time to digest everything but the OKCupid data dump is full of interesting things. I might convert the lot to XML just to make it easier for me to over view.

OKcupid responds to my GDPR request

OkCupid no Match protest

I mentioned how I emailed a load of dating sites for my data and then some… Under GDPR. So far I’ve got something form POF but OKcupid finally got back to me, after finally making it to supportconsole@okcupid.com.

Hello,

OkCupid has received your recent request for a copy of the personal data we hold about you.

For your protection and the protection of all of our users, we cannot release any personal data without first obtaining proof of identity.

In order for us to verify your identity, we kindly ask you to:

1. Respond to this email from the email address associated with your OkCupid account and provide us the username of your OkCupid account.

2. In your response to this email, please include a copy of a government-issued ID document such as your passport or driving license. Also, we ask you to please cover up any personal information other than your name, photo and date of birth from the document as that is the only information we need.

We may require further verification of your identity, for example, if the materials you provide us do not establish your identity as being linked to the account in question.

Please note that if you previously closed your account, your data may be unavailable for extraction as we proceed to its deletion or anonymization in accordance with our privacy policy. Even if data is still available for extraction, there is some information we cannot release to you including information that would likely reveal personal information about other users. Those notably include messages you received on OkCupid, which are not provided out of concern for the privacy of the senders.

Best,

OkCupid Privacy Team

Pretty much the same as the POF reply.