SEARCH CLINIC

Scientists say it is remarkably easy to identify a mobile phone user from just a few pieces of location positioning information.Whenever a phone is switched on, its connection to the network means its position and movement can be plotted.

This data is given anonymously to third parties, both to drive services for the user and to target advertisements.

But a study Unique in the Crowd: The privacy bounds of human mobility in Scientific Reports warns that human mobility patterns are so predictable it is possible to identify a user from only four data points.

The growing ubiquity of mobile phones and smartphone applications has ushered in an era in which tremendous amounts of user data have become available to the companies that operate and distribute them – sometimes released publicly as “anonymised” or aggregated data sets.

These data are of extraordinary value to advertisers and service providers, but also for example to those who plan shopping centres, allocate emergency services, and a new generation of social scientists.

Yet the spread and development of “location services” has outpaced the development of a clear understanding of how location data impact users’ privacy and anonymity.

For example, sat-nav manufacturers have long been using location data from both mobile phones and sat-navs themselves to improve traffic reporting, by calculating how fast users are moving on a given stretch of road.

The data used in such calculations are “anonymised” – no actual mobile numbers or personal details are associated with the data.

But there are some glaring examples of how nominally anonymous data can be linked back to individuals, the most striking of which occurred with a tranche of data deliberately released by AOL in 2006, outlining 20 million anonymised web searches.

Recent work has increasingly shown that humans’ patterns of movement, however random and unpredictable they seem to be, are actually very limited in scope and can in fact act as a kind of fingerprint for who is doing the moving.

Researchers at the Massachusetts Institute of Technology (MIT) and the Catholic University of Louvain studied 15 months’ worth of anonymised mobile phone records for 1.5 million individuals.

They found from the “mobility traces” – the evident paths of each mobile phone – that only four locations and times were enough to identify a particular user.

“In the 1980s, it was shown that you need 12 points to uniquely identify and characterise a fingerprint,” said the study’s lead author Yves-Alexandre de Montjoye of MIT.

“What we did here is the exact same thing but with mobility traces. The way we move and the behaviour is so unique that four points are enough to identify 95% of people.”

“We think this data is more available than people think. When you think about, for instance wi-fi or any application you start on your phone, we call up the same kind of mobility data.

“When you share information, you look around you and feel like there are lots of people around – in the shopping centre or a tourist place – so you feel this isn’t sensitive information.”

Sam Smith of Privacy International said: “Our mobile phones report location and contextual data to multiple organisations with varying privacy policies.”

“Any benefits we receive from such services are far outweighed by the threat that these trends pose to our privacy, and although we are told that we have a choice about how much information we give over, in reality individuals have no choice whatsoever.” 

A network of thousands of computers which stole millions of dollars from advertisers by generating fake advert viewings has been discovered.British web analytics firm Spider.io claims the “Chameleon” botnet is made up of 120,000 home PCs and costs advertisers £3.9 million per month.

Spider.io said that Chameleon simulated clicks on adverts on over 200 sites.

The firm said the botnet was responsible for up to nine billion false ad views every month.

Websites that show display ad receive money when an ad is viewed, in what is called cost-per-impression advertising. It works by money being paid when an ad impression is viewed, and advertisers selling a product or a service pay the website owner a fixed amount each time their ad is viewed.

The ads are typically placed by advertising networks that act as middlemen – the network places the ad on the publisher’s site and the advertiser pays the network and the publisher.

Advertisers use clicks and mouse movements over ads as leading indicators of visitor intent – meaning that the users being shown ads are more likely to buy a product or sign up to a new service.

So if a malicious programme generates clicks or mouse traces, then advertisers will be encouraged to buy more ad space.

Spider.io said that about 95% of the hijacked machines were in the US.

“This particular botnet is being used to emulate human users surfing the web, mimicking normal browsing sessions and normal ad engagement,” said the firm’s chief executive Douglas de Jager.

“It is difficult to imagine why one would run this type of botnet across a cluster of 202 sites other than to commit display advertising fraud.

“Unfortunately, we can’t be sure precisely which of the financially motivated parties is behind this. It could perhaps even be a single person within one of the companies, unbeknownst to others at this company.”

He added that the company was able to spot the botnet thanks to a very specific behaviour of the infected computers.

“The bots subject host machines to heavy load, and the bots appear to crash and restart regularly,” he said.

“When a bot crashes the concurrent sessions end abruptly; upon restart the bot requests a new set of cookies. These crashes and idiosyncratic site-traversal patterns are just two of the many bot features that provide for a distinctive bot signature.”

“Advertising networks – not the advertisers themselves – need to work harder at identifying the difference between a genuine user clicking on an ad, and a compromise computer that has been turned into a click-fraud bot.”

Despite record EU unemployment, the European Commission has launched a “grand coalition” to address the region’s IT skills shortages.Digital agenda commissioner Neelie Kroes told delegates at the CeBIT exhibition that the EU’s competitiveness is “under threat” if it cannot fill the expertise gap.

The shortages come at a time of high unemployment across Europe, she added, calling for greater awareness of IT career opportunities.

Together with European Commission president Jose Manuel Barroso, Ms Kroes said that 1 million euros (£860,000) will be invested into the coalition.

“This coalition is not about reinventing the wheel. It should be about building on existing success,” she said.

“I want people to be open in their commitments, join forces where they see the chance, and recognise we need to do things differently.

“Quite simply, facing hundreds of thousands of unfilled vacancies, we cannot continue as we were; and we must all do our bit.”

The commission’s own figures suggested that there will be 900,000 vacancies for IT-related roles by 2015. There are currently about 26 million people unemployed across Europe.

The number of “digital jobs” – jobs based around IT – is growing by about 100,000 every year, yet the number of skilled IT graduates is failing to keep pace.

Jose Manuel Barroso launched the digital jobs coalition

Ms Kroes said she now wants to have companies move “from ‘wouldn’t-it-be-nice-if’ to, ‘here’s-what-we-are-going-to-do’.”

The commission highlighted several new initiatives already taking places, including Telefonica’s investment in start-ups, and Cisco’s pledge to train 100,000 people to install smart-meters into homes.

The commission’s proposals include simplification of the certification system, making it easier to prove what skills a graduate has, regardless of the EU country in which they have worked or studied.

Technology skills shortages have been cited as a pressing problem for several companies which rely on highly-skilled engineers to further their development.

In January, Google chairman Eric Schmidt announced that his firm was to contribute to a scheme to give schools 15,000 free microcomputers.

The British Raspberry Pi devices will also be used to encourage young children into learning coding skills.

The days of the tiresome password may be numbered- according to Paypal.The fact is that the way we users typically deal with having multiple passwords for our online accounts makes us too vulnerable to spyware, phishing and identity theft.

Many of us rely on the same password, while many more of us only use three or four passwords.

Ideally, the best password would be at least 16 characters with capitals, numbers and special characters – but you’d never remember it.

So the industry is looking to ditch passwords, and is turning to a variety of solutions, such as voice recognition, key stroke analysis and finger print identification.

Payments firm PayPal is one of those leading the changes, and president David Marcus says the aim is to make the whole process seamless.

“Like magic, you’ll be authenticated, and the payment will go through. We want to move away from passwords, and get to embedded fingerprint scanners on mobile phones.”

“You’re going to start seeing that type of experience later this year, with a mass roll-out in the year to come.”

Earlier this month, PayPal, Lenovo and others announced the formation of the Fido Alliance (Fast Identity Online) to change the way online security checks are carried out.

The idea is that users will be able to select the type of authentication that suits them best – from fingerprint scanning to USB tokens.

“The best protection is the one you don’t see – it’s the one that happens in the background, that verifies your identity accessing your own data,” says Mr Marcus.
‘Untapped potential’

For PayPal, solving the password security problem is important because so many people now use it to make purchases – it has 125 million customers in more than 190 countries.

“You shop offline more than you shop online, but in most of these transactions mobile is involved now,” says Mr Marcus.

“As the offline market is 17 times bigger than the online market, there is still huge untapped potential for us.”

The key driver for this has been the way in which customers are increasingly using phones, tablets and other handheld devices to make purchases.

Last year, PayPal recorded $145 billion (£95bn) in total transactions, of which $14 billion were via mobile devices, says Mr Marcus.  “But the year before it was less than $4 billion.

All of which should be welcome news for those of us who continually have to email our online retailers for new passwords, because we’ve forgotten the one we asked them for the last time we tried to buy something from them.

Online music piracy across the world “declined significantly” in 2012, according to a new report.The NPD Group said last year the number of users on peer-to-peer (P2P) illegally downloading music fell by 17% – down to 21 million worldwide.

The market research firm cited an increased use of legal streaming music sites as being behind the drop.

The NPD Group’s report, based on its annual study of music consumers, said that at P2P file sharing’s peak, in 2005, as many as 33 million people used the services – one in five of all internet users aged 13 and older.

But in 2012 that number was measured as being down to 21 million people.

The report said as many as 40% of people who used illegal music services in 2011 stopped doing so in 2012.

Of those, 20% said this was due to the fact the illegal service they were using had been shut down, or had contained spyware and viruses.

More than half the users who stopped using illegal sites said they now preferred legal services such as the UK-headquartered Spotify.

The music industry has undertaken a sizable campaign over several years to see illegal sites and services put out of business.

In the UK, the British Phonographic Industry (BPI) took action to the courts, obtaining a court order to force internet service providers to block access to file-sharing site The Pirate Bay.

The Pirate Party UK – a political group that campaigns for an “open” internet – launched a proxy service to allow UK users to circumvent the block of The Pirate Bay, but that too was closed following legal threats from the BPI.

“In recent years, we’ve seen less P2P activity, because the music industry has successfully used litigation to shut down [P2P client] Limewire and other services,” said Russ Crupnick, senior vice president of NPD.

“Many of those who continued to use P2P services reported poor experiences, due to rampant spyware and viruses on illegal P2P sites.”

Apple has announced that its own computers were attacked by the same hackers who targeted Facebook.The iPhone-maker said a small number of its machines were affected, but added there was “no evidence” of data theft.

Last week Facebook said it had traced a cyber attack back to China which had infiltrated employees’ laptops.

Apple said it would release a software update to protect customers against the malicious software used in the attack.

In a statement, the firm said: “Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers.”

“The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers.”

“We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple.”

“We are working closely with law enforcement to find the source of the malware.”

Apple said it had taken measures to protect users from vulnerabilities in Java, a widely-used programming language that was found to have serious security flaws.

“Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days,” the company said.

“To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found.”

Facebook has revealed it was the latest website to be targeted by a “sophisticated attack” by hackers last month, but found no evidence any user data had been compromised.The social network said that the attack occurred when employees visited a mobile developer website “that was compromised”.

More than one billion people use Facebook worldwide.

“Last month, Facebook security discovered that our systems had been targeted in a sophisticated attack,” the company said.

“The attack occurred when a handful of employees visited a mobile developer website that was compromised.”

Malware was downloaded on to its employees’ laptops, the firm said, adding: “As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.”

“We have no evidence that Facebook user data was compromised in this attack,” Facebook said in its blog post.

The firm went on to say that it was “not alone in this attack”.

“It is clear that others were attacked and infiltrated recently as well. As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected,” Facebook said.

Given the recent spate of hacking incidents a timely report from the National Audit Office (NAO) has highlighted that a lack of skilled workers is hampering the UK’s fight against cyber crime.The spending watchdog had heard from experts who believe it could take “up to 20 years to address the skills gap”, it said in a report.

But progress has been made in tackling cyber fraud, with more police resources and prosecutions aimed at catching cyber criminals, the NAO added.

The government said it was “investing heavily” in research and education.

The number of IT and cyber security professionals in the UK has not increased in line with the growth of the internet, the watchdog said.

In 2011, ministers announced funding of £650 million to implement the UK’s Cyber Security Strategy, which set out the risks of the UK’s growing reliance on cyber space.

The strategy identified criminals, terrorists, foreign intelligence services, foreign militaries and politically motivated “hacktivists” as potential enemies who might choose to attack vulnerabilities in British cyber-defences.

In a review of the strategy, the NAO said there had been an number of developments to help tackle cyber crime.

The internet economy in the UK accounts for more than £120 billion – a higher proportion of GDP than any other G20 country, the NAO said.

But it warned that the cost of cyber crime is estimated to be between £18 billion and £27 billion a year.

Action Fraud, the UK’s national fraud reporting centre, received 46,000 reports of cyber-enabled crime, amounting to £292 million of attempted fraud, the report said.

And the Serious Organised Crime Agency had captured more than 2.3 million compromised debit or credit cards since 2011, preventing a potential economic loss of over £500 million.

New regional police cyber crime centres and a trebling of the size of the Police Central e-crime Unit had also helped boost the UK’s capability to combat attacks, the watchdog said.

But the NAO warned that the UK faced a current and future cyber security skills gap, with “the current pipeline of graduates and practitioners” unable to meet demand.

Education officials interviewed by the NAO said it could take “up to 20 years to address the skills gap at all levels of education”.

They raised concerns about a lack of promotion of science and technology subjects at school, leading to a low uptake of computer science and technology courses by university students.

250,000 Twitter users have had their accounts hacked in the latest of a string of high profile internet security breaches.Twitter’s information security director Bob Lord said about 250,000 users’ passwords had been stolen, as well as usernames, emails and other data.

Affected users have had passwords invalidated and have been sent emails informing them.

Mr Lord said the attack “was not the work of amateurs”.

He said it appeared similar to recent attacks on the New York Times and the Wall Street Journal as the US newspapers reported that their computer systems had been breached by China based hackers.

Mr Lord said in a blog post Twitter had discovered unauthorised attempts to access data held by the website, including one attack that was identified and stopped moments after it was detected.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” he wrote.

Mr Lord did not say who had carried out the attack, but added: “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked.”

“For that reason we felt that it was important to publicise this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the internet safer for all users.”

The biggest worry for most of Twitter’s 200 million active users is not this attack per se, but the additional new “phishing” scams the attack has already inspired.

Since Twitter users now know to be on the lookout for emails asking them to change their passwords, criminals are sending out very similar messages.

If users click on the links in those they risk – once again – having their account hacked.

Dr Search warns you- don’t click on links in any emails asking you to change your password- instead go directly to the web site, log in normally, and change it using the instructions without clicking on email links.

“You have to be careful if you get hold of one of these emails because, of course, it could equally be a phishing attack – it could be someone pretending to be Twitter.

“So, log into the Twitter site as normal and try and log in to your account and, if there’s a problem, that’s when you actually have to try and reset your password.”

Blackberry have launched two new smartphones- which have been greeted with positive reviews.The Z10 is controlled via a 4.2 inch touchscreen while the Q10 has a smaller 3.1 inch screen and physical keyboard.

The new operating system had originally been due for release last year.

“Two years ago we had to make a very serious decision,” chief executive Thorsten Heins told a press conference in New York.  “Adopt someone else’s platform or build a whole new one from ground up for Blackberry. And we made the tough call to go it alone.”

“Bringing an entirely new platform to the market and ushering this company through a really difficult transition took careful planning and we absolutely knew it was risky.”

According to data from IDC, Blackberry devices used to account for just over 19% of global smartphone shipments at the start of 2010 – but it suggests that figure had dropped to less than 4% by the end of last year.

The new user interface allows up to eight apps to run simultaneously, four of which can appear in small windows on the same screen – something the firm describes as “true multitasking”.

During a demonstration executives said the intention was to let users “flow” through applications using swipes and other gestures rather than copy the “in and out” nature experienced when navigating rivals’ devices.

For example BB10′s Hub – which brings together emails, texts and other notifications – can be accessed by swiping up and then to the right from any app. The user then needs to reverse the gesture to return to where they were.

The BBM messaging app can now make audio and video calls as well as being able to share what is on one person’s screen with the other user’s device.

The Z10 is not RIM’s first to feature a touchscreen keyboard, but it has adopted new features to attract users more used to physical buttons.

These include a feature which learns the words and phrases the owner most often types and then uses this to suggest words which float above the keyboard and can be flicked into place.

It will also learn to anticipate and correct frequently made mistakes – such as if the user often hits the letter C when they mean to tap space.

“This is not a new Blackberry device, this is a completely new Blackberry experience. For the first time the traditional keyboard Blackberry users will it find easier to type on a touchscreen.”

The handsets also include a mix of features designed to make them appeal as a crossover business-personal machine.

Blackberry Balance sets up a “work perimeter” on the phones so that data belonging to the user’s employer can be limited to approved apps, while photos and other personal information can be used across a wider range of software.

Security conscious companies are also given the option of being able to remotely wipe sensitive files.