On the 29th October 2020, IsBuzzNews ran an article under their Expert Comments section on Experian and the UK’s Information Commissioner’s Office findings of the credit agency being found criminally wanting for sharing the personal information of millions of people without their consent, in what the ICO viewed as a blatant disregard of the mandated requirements of GDPR. However, unbeknown to IsBuzzNews, I was already conducting research into the topic of Net Privacy and Data Abuse, which included the said data abuser found culpable by the ICO – Experian who have been (are) still sharing the personal information of millions of people without consent.
It was reported that Experian, who are the custodians of our data for a specific purpose, abused their privilege of access and sold on the our data to businesses who used it to identify who could afford goods and services, as well as sharing the content with political parties for their own use.
The ICO ruled that Experian must make fundamental changes to how they handle data or face a huge fine. However, even in the face of being found out, the Dublin based Experian said they would appeal, as clearly they see it as their right to trade on the data to which they have such privileged access, and suggested or inferred their processing was in support to help the COVID-19 battle, and went on to comment:
“We believe the ICO [Information Commissioner’s Office] view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small business and charities, especially as they try to recover from the Covid-19 crisis.”
It is true that the company has made efforts to improve its practices, however, the ICO said the steps taken did not go far enough, and Experian have been granted a further nine months to get their house in order and to clean up their abusive and profiteering ways in order to satisfy the regulator – or face fines of up to £20m, (4% of its global turnover) whichever is higher – which in my opinion, given the findings, Experian should face today.
I was talking with a very senior executive of the company some three years back, who said to me that they were leaving before the bad stuff hit the fan! Following that conversation, a two-year investigation was set in motion, born out of a robust complaint made by the campaign group Privacy International.
In the bigger picture it was found that two other credit reference agencies – Equifax (already found guilty and shamed for Data Abuse and dishonesty) and TransUnion – conducted, what was referred to as invisible processing of data, meaning that people were unaware of the activities and abuse of the data brokers, collecting and selling on information gathered from a variety of sources for profit.
The report found that the agencies had access to the data of almost every adult in the UK, which was then screened, traded, profiled, enriched, or enhanced to provide direct marketing services to the benefit of multiples of commercial organisations, political parties and charities to discover new customers and build profiles about subjects (people).
It is however worthy of note that Equifax and TransUnion do not face any further action from the watchdog because both accepted the finding and applied changes, including withdrawing some products and services.
It is clear however that all three credit reference agencies failed to clearly explain what they were doing with people’s data, said the ICO, despite this being mandated requirement of the General Data Protection Regulation (GDPR) which would seem to have been ignored.
IsBuzzNews Expert Comment: Ian Lovett – Co-founder of Blue Venn
“The data industry has been under the spotlight for a number of years, and this incident brings forth the importance of data privacy once again. Credit agencies are in a privileged position of collating personal data for the purpose of credit referencing. I welcome the ICO intervention into the way companies like Experian have used this collected information for marketing purposes. No organisation should feel they are exempt from the legislation that is there to protect consumers. This incident further highlights the fact that there is still a long way to go when it comes to data hygiene, enhancement, and best practices. Organisations must understand that failure to handle data appropriately can lead to stark reputational damage and, at worst, financial penalties. Additionally, consumers are becoming more prudent when deciding who they share their data with, with many understanding the value that their data can hold. Understandably, for marketers, there is much to be gained from the data held in various platforms, which provides behavioural insights that are fundamentally unique and can generate further sales. With Google embarking on plans to remove third-party cookies from its Chrome browser by 2022, a broader transition is happening, marking the shift from 3rd party data to 1st party data. It is important that more companies invest in and look to build up their 1st party data intelligence now, through their own profiling tactics, to glean insights that are earned and freely offered up by the consumer. Importantly, there is also less privacy risk, as all data is organic and therefore more aligned with the regulatory standards of today.”
But the sad truth is, whilst we see here Experian profiteering from data abuse to the tune of $ millions, they are not alone, and every day as users walk and follow Internet links they are exposed at multiple places – it is not enough that companies like Experian hold our data – but as you can see from the image below (discovery October 2020), companies wish to leverage every opportunity to scrape what they can.
Fig 1 – Tracking URL Access
The table at Fig 1 demonstrates how companies like Experian, and even some others, surprisingly located in the Cyber Security Community, such as McAfee, see fit to leverage data to whatever advantage they see fit. This is common practice, which is why, even for ordinary users there is now a need to apply a technological cloak when browsing the Internet by employing some defensive measure against:
Ad Trackers: Websites containing advertising tracking technology which can load JavaScript code, or small invisible images that are used to either build a subject advertising profile, or to identify that subject for ad targeting on the site. These techniques are often used in addition to cookies for subject profiling. In the case of Experian, these trackers were detected on their page sending data to companies involved in online advertising such as DataXu (acquired by Roku Advertising), Alphabet, Inc, and a number of others (seven in all).
Third Party Cookies: These are commonly used advertising purpose, tracking companies to profile the subject based on their internet usage. In the case of Experian, twelve third-party cookies were discovered on their site, some of which were set for DataXu, Kantar, Operations, and four others.
Tracking that Evades Cookie Blockers: Canvas fingerprinting is a technique is designed to identify users even, if they block third-party cookies. It can be used to track users across sites. It secretly draws an image on the local browser when a user visits a website, for the purpose of identifying the user device.
Note: This technique has been used by six percent of popular sites when surveyed as of September 2020.
Website could be Monitoring Keystrokes/Mouse Clicks: In the case of Experian the use of these were detected as a session recorder, which tracks user mouse movement, clicks, taps, scrolls, or even network activity. This data may then be compiled into videos and heat maps that website owners can watch to see how users interact with the site. In the case of Experian, Decible Insight Ltd (See Fig 1) were discovered.
Fig 2 – Decible Insight Ltd
Note: Research has shown these practices can be insecure and make sensitive user data, such as passwords and credit card information more vulnerable to leaks. This technique was found to have been used by fifteen percent of popular websites when surveyed in September 2020.
Key Stoke Capture: Canvas fingerprinting noted on the Huawei Site – this is a technique designed to identify users even if they block third-party cookies. It can be used to track users across sites. Again, it secretly draws an image on the local browser when the user visits a website that use it, for the purpose of identifying the device employed.
Note: This technique was used by six percent of popular sites when surveyed in September 2020.
Facebook Pixel: The Facebook pixel employed by Experian is a snippet of code that sends data back to Facebook about the users who visit the site, which allows the site operator to later target them with ads on Facebook.
A Facebook spokesperson told The Markup (the company set up the Blacklight application) that a user does not have to be “simultaneously logged into Facebook and viewing a third-party website for our business tools to function.” Common actions that can be tracked via pixel include viewing a page or specific content, adding payment information, or making a purchase.
Note: The Facebook pixel appeared in thirty percent of popular websites when surveyed in September 2020.
Google Analyitics: Again, seems to be in use on the Experian site – Google Analytics is ”remarketing audiences” feature that enables user tracking for targeted advertising across the internet. This feature allows a website to build custom audiences based on how a user interacts with this particular site and then follows those users across the internet, and then can target them with advertising on other sites using Google Ads and Display & Video 360.
Again, a Google spokesperson told The Markup that site operators are supposed to inform visitors when data collected with this feature is used to connect this browsing data with someone’s real-world identity. You know when those shoes you were looking at follow you around the internet? This is one of the trackers.
Note: This feature appeared in fifty percent of popular websites when surveyed in September 2020.
Credit: Thank you themarkup and Blacklight for the Data and Survey materials – https://themarkup.org
There are of course exceptions, so by no means not everyone on the net is in the business of commercially exploiting your data. Unbeknown to a chap I know (sorry Andy) in the cyber-business world, I ran a test on his site at www.cybersecip.com and found it to be one of the few sites who do not abuse those who visit their site, with zero discoveries of any of the aforementioned techniques of potential abuse of data – well done, faith in mankind has been partly restored!.
Any user on the net, no matter in the world of Cyber Security or just a shopper now need to take up a defence posture to assure that their data is not easily subjected to abuse and profiteering by those who feel they do not need to apply the rules of Data Protection or Privacy and ignore GDPR. And as such there is a very strong case now for every net user to use commercial, trusted VPN (Virtual Private Network) services such as Proton VPN, and browse with secure browsers such as Brave and DuckDuckGo to protect the connection and net presence.
Conclusion
As a conclusion, with a question – is GDPR is effective as it should be, or is it a toothless beast with a nasty suck and not an effective bite when it comes to invoking fines?
In the example of Experian they have been found wanting for trading of data for some extended period, and even after a two year investigation they have been granted a further nine months to correct their abuse – giving the company another nine months to profiteer. When companies like this are found with their hands in the data-till, why is it not that they immediately suffer the consequence of their extended period of abuse – should they not be fined to help them with their decision making and future activities; or do we simply sit back as let them carry on, this time, and disgustingly using the global pandemic as their lame excuse!
The siltation to be encountered when visiting a web site, would seem to be akin to visiting a local store – in some cases you may walk in and peruse their merchandise on offer, from which you may, or may not make a purchase. However, in some other stores, upon entry you are required to provide some information as to your identity, shopping habits, and address (albeit physical and not IP based) and a few other titbits of information, notwithstanding you make a purchase or not – in the latter stores, unbeknown to the shopper, they are actually the valuable merchandise which will be traded, shared, and profited from – which in some cases is done without their knowledge or consent.
John is the Principle at Shadow-Intelligence (Si), partnering with PALISCOPE, BreachAware and iStorage. He is a Visiting Professor at the School of Science and Technology, Nottingham, Trent University (NTU) and holds the appointment of Editor in Chief for the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). For the last decade he has delivered training courses in the Middle, and Far East to Commercial, Industrial, the Financial Services Sector, and Military Agencies, including the UAE, US, Pakistan, Saudi Arabia, Malaysia (KL), Singapore, Argentina, and Sao Paulo
He served in the Royal Air Force 22 years’, specialising in Counterintelligence, working with UK Agencies such as GCHQ/CESG, and others in the fields of SIGINT, COMINT and Satellite Communications, holding appointments such as System ITSO for a CIA SCIF.
In the commercials sectors of IT/Cyber he has worked for/with Logica, Bae, T5, GM, Experian, Betfair, Palace of Westminster, House of Lords/Commons, TSol (Treasury Solicitors) and provided Consultancy to the Saudi Arabian MOD, TRA (Telecommunications Authority (Dubai) and the Military Academy of Malaysia (KL) on SOC, CSIRT, Digital Forensics and OSINT. Within the last 5 years he has focused on Geopolitics, with global expertise around the UAE and Russia, Anti-Terrorist Operations (ATO), Cyber-Warfare, Dezinformatsiya (Disinformation) and Maskirovka (Military Deception).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.