Trust

I was excited recently when Ciaran Martin, the very respected founder and former head of the UK’s excellent National Cyber Security Centre, posted a toot on Mastodon linking to a note he’d written for The Economist. In his toot, Martin stated that the article was an attempt to be…

“…optimistic about cyber security and public policy for The Economist (£). Also tried to push back a bit on the AI apocalypse stuff, arguing that we should do what we (eventually) did with cyber and start breaking down the problem into chunks and improving how we manage it bits at a time”

…and then it linked to the article.

Unfortunately, I will never know what the article says because the terms of reading it are so onerous that I must reject them (and it’s unclear whether I can).

This is by no means Mr Martin’s fault, nor is my complaint one about him.

It’s just that the irony here flows like a river: to read an article by a leading expert in the field about how information security is getting better, I am forced to accept significant challenges to one of the three core concepts of information security: integrity. This is not just a concern about privacy (though that is also at stake here), but in this case, this is actually straight up information security.

Integrity in this sense means that if I am clicking a link purporting to be to an article in The Economist, when I get there, I should get an article in the Economist. Integrity is a fundamental goal of the GDPR.

The GDPR requires you to process personal data securely. Article 5(1)(f) concerns ‘integrity and confidentiality’ of personal data – in short, it is the GDPR’s ‘security principle’.

How do I know this? From an article available at Mr Martin’s NCSC, entitled, GDPR security outcomes.

Unfortunately, what I get when I click Mr Martin’s link is a page that betrays his wonderful intentions and work.

When one looks closely, one sees his article used as a trap to view (and silently register with) The Economist, but also 57 others: Adara Media, Inc., Affle International, AppNexus Inc., Bing, Crimtan Holdings Limited, DoubleClick, Facebook Conversion Tracking, Facebook Pixel, Google Ads, Google Adwords, Google Maps, Google Publisher Tag (GPT), Google, Inc., Index Exchange, Inc., LinkedIn, Liveintent Inc., LiveRamp, Inc., MediaMath, Moat, OpenX, Outbrain Inc., Permutive, Inc., Platform161 B.V., PubMatic, Inc., Quantcast International Limited, Quora, Reddit, Inc., Sovrn Holdings Inc, SpotXchange, Inc., Taboola Europe Limited, Teads, The Rubicon Project, Inc., The Trade Desk, TikTok, Twitter, Inc., Unruly Group LLC, Yahoo Ad Exchange, YouTube, Chartbeat, Drawbridge, Inc., Google Analytics, Grapeshot, Microsoft Clarity, Parse.ly, Qualtrics Labs, Inc., AMP, Brightcove, Inc, Google Web Font, Optimizely, CloudFlare, Google Ad Manager, Google Tag Manager, hCaptcha, New Relic, Inc., Piano Inc., Tealium Inc, and Tealium Tag Manager.

So here is one of the world’s most trusted information security specialist experts, giving a link to his thoughts on how information security is improving, and I literally cannot trust it. Or rather, the proffer is incomplete: if I click the link, then click the Manage button, and select the Do Not Sell or Share button (a button which is deselected by default, I might add), I can trust that The Economist will, of the above-listed entities, only share my information and data with AMP, Brightcove, Inc., Google Web Font, Optimizely, CloudFlare, Google Ad Manager, Google Tag Manager, hCaptcha, New Relic, Inc., Piano Inc., Tealium Inc, and Tealium Tag Manager.

Sorry, but no deal. I am by no means the first to point out that the 12 names just listed are considered “functional” or “essential” to the delivery of the page. This labeling by The Economist of categories called “Functional” and “Essential” would of course imply first that there are inessential functions, but even more, I reject that there are “essential” functions.

This site, nickselby.com, has no trackers or cookies whatsoever, and hey: you’re reading this.