Continuation of our article about the security and privacy problems with the newly launched NetIDme service
- Illegal data processing of personal information ? Is NetIDme Limited properly registered under the Data Protection Act 1998 ?
The company's entry on the the Register of Data Controllers Registration Number: Z8752777 shows only 3 statutory Purposes, under the Data Protection Act:
- Staff Administration
- Advertising, Marketing & Public Relations
- Accounts & Records
All with possible data transfers "Worldwide"
i.e. there nothing about the actual NetIDme service , customer registration, credit card name and address details, personal details of children, "sophisticated IP address tracking", audit log files etc. etc.
Given the nature of the "child protection" service being sold, perhaps a formal complaint to the Information Commissioner should considered, for this apparent breach of the Data Protection Act 1998.
- The NetIDme scheme claims to
When you've completed the online registration, a form will be sent out to your home. The form needs to be signed by you, and your details must be confirmed by a professional person who knows you well (such as your teacher, doctor or lawyer). If you're under 18, your parent or guardian must also sign the form.
How exactly, can NetIDme make sufficient checks on the authenticity of such signatures, when the UK Identity and Passport Service (IPS) cannot do so for Passport applications ?
If their checks on signatures and "sponsors" are not at least as good as those by the UK IPS, then what possible use are they in preventing false or multiple applications for NetIDme accounts ?
We tried to see how easy or difficult it was to actually order a NetIDme subscription.
Firstly, there is no information on exactly how the system is meant to operate, spelled out on the www.netidme.com website.
You are presumably meant to divine this from the Terms & Conditions, and from the media hype.
Some other poor e-commerce website design features:
By preventing the user from using the Right Click mouse menu it prevents examinationof the page Properties (under Microsoft Internet Explorer) or View Page Info (under Firefox), which iinclude SSL / TLS Digital Cerificate information, This "feature" should make wary parents suspicious - it is exactly the sort of trick which "phishers" use when stealing credit card information via their false websites.
- However, on the next page, asking for your name, address, phone number, relationship with the Child e.g. Mother, then this disabling of "Right Click" no longer appears !
- The field for "Contact telephone number" pops up a message "Please enter your land line telephone number including area code" !
What about mobile phones ?
- We got a message "You are not currently logged in to netidme. Please log in now" - even though we were only halfway through purchasing a subscription. We were then returned to the initial login screen.
Wondering if our "nickname" and password had already been registered, since we had passed that point in the multipage form, despite not gettting to the payment details section, we tried our "nickname" with the the Forgotten Password option:
CDO.Message.1 error '8004020c'
At least one recipient is required, but none were found.
/forgottenPassword.asp, line 477
What did we say about possible SQL Injection attacks ? This message should never have been displayed on a production e-commerce system.
- The payment form displays various Credit Card symbols - Switch, VISA, Mastercard and American Express and PayPal, but there does not seem to be any way of using a credit card, only PayPal - You are not warned about this up front !
- However, PayPal does not handle Switch (now re-branded as Maestro) payment transactions.
Displaying the Switch debit card symbol without authorisation must surely be wrong.
- When choosing a "nickname" you fall foul of "This nickname is already in use. Please try again" messages, which, of course, only appear
you have wasted your time typing in your password twice and deciphering the Captcha "security" code graphics.
There was no suggestion of an alternative nickname e.g. with a number appended to it, as is common with many email signup systems.
Surely most e-commerce customers would have given up by now ?
Did nobody actually bother to test this e-commerce application ?
Sky News have been hyping this service heavily, with interviews with Alex Hewitt, and most of the explanations of how the system is meant to work (which are not available on the website), being given by John Carr, from the NCH charity, who is usually interviewed when online safety of children is being reported by the broadcast media.
The Sky News extended segment on this "story" included a couple of inteviews via webcam, one from the father of the teenager who had been interviewd about her online activities,.
Almost comically, there was another interview, from Spain, with the boss of some PC Company, whose name we did not catch, interviewed as an IT expert. He also used a webcam, but as there seemed to be a powercut, he was illuminated with a torch via the webcam on his portable computer! This seemed to distract him from being able to produce a "soundbite" explanation of "IP Spoofing", an obvious weakness of the NetIDme scheme. He then made the fallacious claim that MAC addresses were somehow a better way of tracking internet connections. This is, of course, rubbish, as MAC addresses are actually easier to undetectably spoof than IP addresses are, either through the settings in the Windows Registry or in *nix configuration files or by using tools like SMAC
The NetIDme system bears no resemblence to the established ways of establishing online "identity", such as a Public Key Infrastructure with Client Side Digital Certificates, which mutually authenticate a web browser and a webserver using SSL/ TLS, neither is it like any Challenge / response phone or internet banking authentication Questions and Answers , nor is is like the proposed InfoCard stuff under development by Kim Cameron et al at Microsoft.
The NetIDme developers do not seem to have read the London School of Economics' Identity Project report
Even if the NetIDme scheme were to have all the problems listed above fixed, it would still be fundamentally flawed as there is no way of verifying the authenticity or status of the NetIDme "certificate" or "card" unless the recipient is also a paid up member of the scheme.
Compare this with , say, PGP digital signature verification using either a web of "trust" (or a web of "co-conspirators") who mutally sign each other's public signing keys. NetIDMe does not even offer something like HushTools, a website which offers a webform to check the authenticity of a digitally signed Huhmail encrypted and or signed email.
There is also a vague mention that children who frequently exchange their NetIDMe "cards" will magically "earn" bonus points, which will entitle them to , unspecified "prizes".
There is no detail of how many "bonus points" need to be "earned"and what sort of prizes are on offer. This smacks of the failed UK Government Connexions Card scheme, which is to close in February 2007, due to lack of use by teenagers. The scheme is run by NuLabour's favourite IT outsourcing company Capita plc.
There does, however appear to some sort of NeIDme "affiliate marketing" scheme, so we assume that this will lead to junk mail, blog comment spam and possibly affliate marketing "click fraud" as well.
This NetIDme website and concept is so bad, that it is almost as if the Home Office ID Card Ministers and spin doctors have had a hand (or foot) in the development of this alleged "online security" system..
Do not put your family's privacy and security at risk by wasting money on, and trusting, this flawed NetIDme service.