Hacking Hacks

The News of the World phone hacking scandal has provided no end of entertainment and office chat over the past week. I must admit to getting swept along with the mob spirit and sending a few polite emails to various companies, expressing my wish that they cease advertising with the paper due to its nefarious activities. It’s all a bit of self-righteous moral masturbation of course. After all, the British social-networking crowd were recently falling over themselves to aid newspapers in exposing the private affairs of Ryan Giggs and other celebrities, who were using super-injunctions to keep details of their private lives out of the tabloids. And now everyone is waging war on the News of the World for going too far in giving people exactly what they want, and seem to believe they’re entitled to?

But you know what, fuck it. I never buy tabloid papers, and it’s nice to engage in a little moral posturing and schadenfreude when the targets are as disagreeable as Rupert Murdoch and his cohorts. I do feel a little sorry for the journalists who will lose their jobs now that the News of the World has been shut down. They’ve basically been used as human shields in News International’s desperate attempt to protect Rebecca Brooks at all costs. However, I’m not sure I buy into all their teary eyed laments that NotW was a great paper and its closure a terrible loss. Looking through their website now the paywall has been pulled down, it just seems like a fairly worthless mix of tits, celebs and right-wing political rhetoric that the country won’t be much poorer without.

I also got involved in the campaign to stop Rupert Murdoch from taking over BSkyB, by submitting an entry to the government consultation on the matter. They’ve already achieved a minor victory, as the submission of over 100,000 responses to the consultation apparently means the decision will be delayed until at least September, as they examine every single response as they are legally required to do. If you want to contribute yourself, the consultation is closing on Friday 8th July, so I suggest you submit a response as soon as possible.

I didn’t send the form letter the campaign provided, as there seemed little point. It opines that the takeover is undesirable for various reasons, but the government’s line seems to be that its hands are tied as it can only block the deal on the grounds of media plurality, not on ethics. Therefore, I decided to write my own response, attempting to present a quasi-legal argument why recent events do in fact have a bearing on whether the deal affects media plurality. I don’t have the exact text of what I sent, so I can’t include it here (I may have used some language that it wouldn’t be wise to openly publish anyway), but I’ll try and provide a summary.

I am not a lawyer, so cannot really make a properly informed legal argument, but I decided to at least start by looking at what the law says. In particular, I found a Media Plurality Dossier by the London School of Economics that included an interesting quote from the relevant legislation:

2a.1. Enterprise Act 2002

“Section 67 allows the Secretary of State to intervene in order to protect legitimate interests, including that there is a sufficient plurality of persons with control of media enterprises.” http://www.legislation.gov.uk/ukpga/2002/40/contents

The use of the word “sufficient” seemed particularly interesting. What is “sufficient” plurality of the media? It seemed to me that if there was a case to be made, this was a promising area of attack.

News International has allegedly been involved in a wide range of illegal and immoral activities, and also an effort to cover-up that activity that has continued for a number of years. Some claim this attempted cover-up is still ongoing. Perhaps of more concern however, is that there seemed to be little appetite to investigate News International and hold them to account. The metropolitan police, the government, the Press Complaints Commission, the government; all of them failed to give the oversight that it is their responsibility to provide. Even the rest of the press, with the exception of the Guardian, were highly reluctant to investigate or cover the story.

Why did this occur? The most plausible explanation appears to be that News International was powerful enough that it could frighten politicians, dissuade police officers, pay-off victims, and silence journalists. And it did exactly that for many years. Its power stemmed from the scale of its reach within British public life. It had too many newspapers, too many people on the payroll, and too many friends for anyone to cross it and expect to win, especially in the highly-political upper-echelons of bodies like the police, parliament and national newspapers.

This situation came abount due to the plurality, or lack thereof, of the British media. Too much power has been concentrated in the hands of too few, unaccountable individuals. In this context, for the plurality of the media to be eroded even further, by allowing News International to take full ownership of BSkyB, seems highly foolish. It is clear that, instead, the definition of what is “sufficient” plurality needs to be examined in light of these events, with the likely conclusion that organisations like News International should be owning less of the media, not more. Media plurality over the past decade has obviously been grossly insufficient, and contributed to a media and wider establishment wholly unequal to the task of holding News International to account over its actions.

That was pretty much the gist of my argument, although I couldn’t resist getting in one, slightly cheeky, final point. Given that there is an ongoing police investigation into criminal activity by the News of the World, and that there is grounds to suspect that News International used its influence to unduly disrupt attempts to investigate and expose this activity, wouldn’t any decision by the government to extend News International’s influence even further mean it was essentially acting an accessory to this activity? Not a position that government would want to be in, I’m sure!

That was more or less what I sent in. Given how quickly things are changing, the next days and months may render current questions about the takeover of BSkyB moot anyway, but I’m still glad I made my voice heard, in however small a way. I encourage you to do so as well. It really is therapeutic to unload on an issue like this, with the hope, however small, that it might have some effect or do some good somewhere down the line.

The Empire Writes Back

Yes, the government responded (a few days ago now actually, but I only just got around to posting this). I won’t copy their email here, because publishing communications from the Information Commissioner’s Office without their permission probably isn’t the smartest thing to do, but the gist of their message was an entirely friendly admission that yes, they aren’t entirely compliant yet. They’d like to be, but there’s still work to be done and they’ll be doing it over the forthcoming months. In particular they said they’d address the lack of cookie information on their notification form as a priority. So ho hum, how boringly reasonable of them!

The only point we didn’t seem to see quite eye to eye was over the issue whether they are currently claiming that the session ID they are setting falls under the “essential services” exemption of the new regulations. I would argue, judging from the wording of their privacy policy that they are, and that’s a disingenuous claim because there are ways to do what they’re doing without using cookies. They aren’t the way ASP.NET works out of the box, but they’re possible. However, since they say they’re planning on making further improvements, maybe we should give them the benefit of the doubt. For now. I’ll be interested to see what they’re site looks like in 6 months time.

Wherein I unwisely take on the government

The following is an email I just sent to the Information Commissioner’s Office internal compliance department regarding the failure of their website to comply with the new regulations on cookies that are coming into force in Europe:

Hi,

I am a professional working in the field of web development. As such, I have been looking into the new regulation surrounding the use of “cookies” by websites to track users and store information about them. During my investigation, it has become clear that your own site http://www.ico.gov.uk is not operating in compliance with the regulations as you explain them. What’s more, it provides misleading information that suggests it IS in compliance when it is not.

Upon browsing to your site, the user is presented with a notification that site uses cookies and that one such cookie is “essential for parts of the site to operate and has already been set”. Checking the privacy notice for your site reveals that this is the ASP.NET session cookie which, according to your policy falls under the category of “essential” cookies as it is essential for the “notification form” to operate. By “notification form”, I presume you mean the one available here: https://www.ico.gov.uk/onlinenotification/

There are serious problems with this line of argument:

  • Navigating directly to the notification form[1] sets the cookie, but does not inform the user. This situation could easily occur if a user has been sent a link in an email (such as this one) and therefore has not reached the form via the main page of the site, and will have been given no information on the use of cookies.

  • Your document[2] explaining the changes to regulations regarding cookies, says the following regarding the exemption for essential cookies:

    This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user.

    Clearly, a user who simply visits your site has not “explicitly requested” to use the notification form. In fact, they may not be intending to use it at all, or even be aware of it. I visited your site with the intention of discovering more information about the changes to the regulation regarding cookies, not to use the online notification form. At no point did I make any explicit request to use the service, so the exemption clearly does not apply.

  • The ASP.NET session cookie is NOT essential to have the online form work. I say this as someone with years of experience working directly with the Microsoft ASP.NET technology in question. It is quite possible to turn off[3] the ASP.NET session cookie and still have the site work. If this Microsoft mandated approach presented problems, you could also easily develop a solution that sets a cookie only when the user begins using the form, or develop a solution that does not use a cookie, and instead tracks state via hidden form fields.

Judging from how your website is operating, I would hazard a guess that the person(s) responsible for the maintenance of your site have tried to do the least possible they could in order to claim compliance with the regulations. The ASP.NET session cookie is enabled by default, and turning it off and developing an alternative solution would require marginally more effort. Therefore, they have disingenuously claimed that it is essential in an effort to save effort on their part.

I was surprised and disappointed to find that these problems. If your own website cannot properly comply with the regulations, and apparently sees them as a nuisance to be skirted around, what message does that send to those of us in the industry who have to work to them?

Thanks,

Jon Rimmer

So anyway, if the men in black come to get me, you’ll know why.