Since that post there was a generic update from Travelodge stating that no financial data had been accessed, and that engineers were working round the clock to find out what had happened and update customers. (Basically a generic email full of platitudes, trying to sweep the issue under the carpet and keep everyone calm). That update has simply not happened. Despite repeated prompting of the Travelodge UK twitter account, the best I have received is a week ago I was told that an update would be out ‘shortly’ . I’m guessing that their definition of shortly and mine differ wildly, as I certainly don’t class a week of no action or info as shortly.

I’ll personally never stay in a Travelodge again, I simply don’t trust them with my data any more, and their lack of updates and quite frankly pathetic handling of this issue has burned what little trust or respect I may have had in them after the breach. Other large companies that have suffered data breaches in recent months have announced within a week, usually days, what has happened, what data was accessed and such like. Without this information the customers who’s details have been accessed have not got the ability to take any action to prevent further security problems that may arise from the data leaked, or even identity theft if address details were compromised. Over 4 weeks to make a full and frank disclosure to customers who have potentially had their information compromised is simply not acceptable. The lack of such update tells me that Travelodge either have inadequate systems and can’t securely protect data and audit any breach, or they simply don’t care enough to tell their customers in a timely fashion. They seem more intent on simply forgetting about the issue and hoping everyone else does, so that they don’t get any more bad publicity out of the problem.

I’d urge others to seriously consider their choice of hotel in the future, and avoid Travelodge if at all possible. if they can’t even tell us what data has been accessed or how it happened, how can we trust their word and be sure that financial data has not been accessed and therefore trust them enough to input your card details again? (and that is before you even consider that you might get your card charged twice, as they announced yesterday)

EDIT

Seems there was an update, from this, they just didn’t bother mailing anyone about it, just noticed this on their twitter feed. http://twitter.com/#!/TravelodgeUK/status/89388586784407553

It’s still entirely unacceptable in my eyes, that they haven’t even bothered to mail customers about this, that it took so long, that no numbers of how many accounts were breached but first and most importantly that they had customer details in an unencrypted database in the first place. Especially in such a database that seemingly would have no way of easily auditing or verifying who had accessed the data if it took them over 3 weeks to find out!

~Shepy

http://ismycreditcardstolen.com/

~Shepy

For me though, an apology is simply not good enough, people use a backup service so that they can be sure their data is safe and secure, but if the people you entrust to make that backup cant keep it secure then it’s almost pointless to even use the service. This compounded with the change in TOS a few months back which state Dropbox will decrypt your files if requested by law enforcement agencies, and that a previous ‘Staff can’t access your files’ mantra suddenly being changed to ‘Staff are prohibited’ from accessing your files being widely reported on the net, I no longer feel that Dropbox is a service I want to trust important data to, in fact I’m not even sure I want to trust them with unimportant data.

When I was discussing this with a friend, he mentioned that he too had the same concerns, and had gone looking for an alternative, which turned up SpiderOak, a very similar but at the same time altogether different service.

An alternative

First and foremost, SpiderOak encrypts all your files at the client end, they never store your password and therefore are literally unable to provide access to your files to anyone, including their staff or law enforcement agencies. Files are stored on their servers in blocked segments encrypted at the byte level, so not even file names and folder structures are accessible. Even when you log in to the website your password is maintained only in RAM memory, in an encrypted form, only as long as you’re connected, and never put to disc. And that’s just the start of the improvements over Dropbox, some of the other big ones are:

• Faster data upload – compression and de-duplication upload your info much faster
• De-duplication means if you have the same file at home and work, it only takes the space of one copy
• Selective backup, you can opt to backup any folder on you machine (including network shares and external drives)
• Consolidation of backup between all of your devices and machines, you can browse them all through the GUI
• Complete revision history, no old copy is ever removed unless you choose to remove it.
• Sharing can be done on a folder level, like Dropbox’s public links you can share files with anyone, but share a full folder not just single files.
• Open Source transparency means they are actively trying to release their code to help the wider net community as well.
• Great referral system offering much more space for no charge (4x what Dropbox offers)

Though it is a shame the circumstances under which I felt obligated to move to a different backup / sync provider, I am wholly impressed with SpiderOak and glad that I did make the mov. I’ve got much more faith in it and find it to be much more featured than Dropbox.

Sign up & get 6gb free

If you’d like to sign up then I’d suggest you do so with my referall link, which you will find at the end of this post, and also use the promo code ‘worldbackupday’ which will give me 1gb of free space, and instantly start your account with 6gb of free space if you do both.

Let me know what you think of the service, and that referral link is:  https://spideroak.com/download/referral/33d3bbe7b656b2c4cf47e479f4409406

~Shepy

Absolute full credit must be given to Instapaper though for immediately making an announcement to it’s users informing them of what had transpired, what this meant to the service, and which data would now be in the hands of the FBI. More credit again to the fact that their passwords are stored as SHA1 hashes, rather than simply being the actual password as has been the problem in far too many recent data breaches.

From the post, outlining what is now in the hands of the FBI:

Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)

Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.

The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.

Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server.

So the FBI now has illegal possession of nearly all of Instapaper’s data and a moderate portion of its codebase, and as far as I know, this is completely out of my control.

The rest of the post can be read by clicking here, and it certainly makes for interesting reading.

Bravo to Instapaper in how they have handled this, if only more companies would be as transparent and up front with their user base.

~Shepy

I just received a call from a friend saying they had received an email from Travelodge, which said that no data had been sold. I asked him to forward it here so that I could share it, and in the meantime while I was waiting for it to arrive I checked the Travelodge UK twitter feed, which offers:

@TravelodgeUK Hi there. Please click here for a full update on the issue of spam emails http://ow.ly/5oSh4 #travelbotch #travelodge #spam which I will copy the content of here for you;

Dear Customer,

Our main priority is to ensure the security of our customers’ data, which is why I wanted to
make you aware, that a small number of you; may have received a spam email via the email
address you have registered with us.

Please be assured, we have not sold any customer data and no financial information has
been compromised.

All financial data (including credit card information) is compliant with current best practice
standards and is audited to PCI (Payment Card Industry) requirements.

The safety and security of your personal information is of the upmost importance to us and as
a result we are currently conducting a comprehensive investigation into this issue.

If you receive an email similar to the one detailed below, please delete it as spam.

Good day.  
Don’t miss exciting career opening.  
The company is seeking for self-motivated people in United Kingdom to help us spread out
our activity in the UK area.

Conditions:
– Full age United Kingdom resident  
– Only basic knowledge of Internet & computer.  
– Free access to personal e-mail box  
– 2-3 free hours per day  
– Immediate replies on our written requests  
– good organizational skills.

You can without problem connect our work with your primary activity.
Brilliant income ability. Free training available.  
Applicants must be smart and commerce motivated. Working only some hours per day.  
Any person residing in the United Kingdom can be our representative.  
Our manager will contact you within few hours if you attracted.  
—————-  
Local News: from paris, with love who’s the toast of the airport show.

If you have any questions regarding this matter please email: andrea@travelodge.co.uk. A
further update will be given, when we have completed our investigation.

Guy Parsons
Chief Executive

The update is basically the same as what has started going out on email.

Whilst I appreciate that the update states no financial information has been compromised and adheres to PCI standards, this still doesn’t sit well with me.

Mainly because;

If they have been compromised enough to steal customer names and email addresses, how are they so sure that financial information has not been taken also?

If safety and security of personal data is of utmost importance, why did it take people complaining on Twitter etc to highlight the situation and get this half update?

What information has been compromised, though a full investigation will take a wee while it would still be more re-assuring to know what they know so far. By saying “no financial information has been compromised” they are, through omission of discussing other details, saying that some data has been compromised.

It is ignorant to think that just because financial information has (claimed) not to have been accessed, that it is unimportant to announce what HAS been accessed. Having name, address and other such details is just as worrying in regards to identity theft. Have passwords been compromised, it makes no mention of these, and some people may have used the same password on Travelodge as they have on other sites.

This ‘update’ is nothing more than fire fighting to try and calm the situation and save face in my opinion, and leaves more questions open than it answers.

~Shepy

From: Ena Walton
To: <***@shepy.co.uk>
Subject: Richard Shepherd
Date: Wed, 22 Jun 2011 19:12:14 +0000

Good day.
 Don't miss exciting profession opportunity.
 Our Corporation is looking for energetic representative in United Kingdom to help us spread out our  activity in the UK sector. 

 Required Skills:
 - 18+ United Kingdom resident
 - Only basic knowledge of Internet & computer.
 - Free access to personal e-mail box
 - 2-3 free hours per day
 - Immediate replies on our written requests
 - good organizational talents. 

 You can without problem combine our work with your  primary work.
 Great income ability.  Free instruction available.
 Those who are interested must be fair and business motivated.  Operate only some hours per day.
 Everyone residing in the United Kingdom can be our agent.
 Our manager will e-mail you within several if you attracted.

The eagle eyed among you will notice that the subject is my full name, which is not what you would expect me to see in spam, which caused me to look a little closer and see that the email address to which it was sent is actually one that I have only ever provided to Travelodge UK.

I put out a tweet last night saying “Dear @TravelodgeUK I’ll not be staying with you again as you sold my email address to spammers, and it was a unique mail addy only you have.” and then this morning got a reply from @benjymous providing the email address for the CEO of Travelodge, and suggesting that I was not the only person with this problem.

Following suit from @zoeimogen I have sent an email to the CEO of Travelodge, stating the following:

Dear Sir,

Yesterday evening I received a spam email from a company, which was
interesting in the fact that it had my full name as the subject of the
email, certainly unusual for spam. Looking closer in to this I notice
that the email address it was sent to is an email address that I have
only ever provided to Travelodge.

This leads me to one of two conclusions.

1) You are in the business of selling customer details and databases
2) Your systems have been compromised and customer details have been exposed.

I would therefore like confirmation if my details have been sold or
provided to third parties or if the security of the data has been
compromised. To the best of my knowledge I gave no such permission for
data to be passed to a third party, and habitually tick the box to not
be contacted for promotion or third parties when registering with a
site. As the subject of personally identifiable data I have the right
under the data protection act to know if my data is being handled
correctly and in accordance with the reason for which it was provided,
and nothing else.  If the data was sold I would like confirmation that
I authorised this to happen, and no doubt will be following this up
with a data protection request to view all information held on me and
how it has been processed.

If you have suffered a security compromise and data has been obtained
by unauthorized access I would like to know which data is stored in
the systems that have been broken in to, such as address, billing etc.

The mail address used to register with yourself was ***@shepy.co.uk

I eagerly await your response.  If i receive no reply within 72 hours
I shall be raising a complaint with the ICO.

Regards

Richard Shepherd

Hopefully myself and others will receive a reply soon, and if so I will obviously follow up this post with an update.

UPDATE:

Well Travelodge has been thus far silent with consumers, but El Reg is reporting and also Travelodge say themselves “Sorry for the spam email you may have received. We have NOT sold any data. We’re currently investigating this issue and will update you ASAP”, which basically means this is either a leak or a hack, neither of which is very reassuring and confirms that someone has had unauthorised access to the data, the question now is to what extent and what data?

If you’ve seen any of this spam, there is a hashtag at #travelbotch you can monitor / join in to keep updated.

UPDATE #2:

More on this on another post at http://www.shepy.co.uk/blog/2011/06/travelodge-uk-hack-update-official-statement/

~Shepy

A quick couple for preview:

You can download the screensaver pack via this torrent link or this magnet link. (If you need a torrent client, you should check out www.utorrent.com)

~Shepy

Several times Yesterday my Facebook profile, on the website, would show the ’1 Inbox’ message notification in the top bar, but when clicking in to it I would see no messages highlighted as unread, clicking on “Unread” would show zero messages. So today I’ve had a bit of a side by side comparison, and it seems something is going seriously wrong. Quite a number of new messages are being delivered to my mobile only, which I don’t always have running so wont get notification until I just happen to open the app. Below is a series of 4 screen shots, both from the website and my phone. I’ve blanked out most of the names and messages for privacy, but left enough in so that you can see the correlation between the two. Look through them and note:

Inbox

There is 1 message at the top which doesn’t appear at all on the website, only shows on mobile.

There is one message from Victora which shows a different message, where as the site shows only my last sent message

Individual Thread

The conversation looks entirely different when viewed on the website, as opposed to the mobile client.

Inbox - Android	Inbox - Website
Individual Thread - Android	Individual Thread - Website

If I manually go to the page of the person who sent the missing message from the top of the inbox (which was a bit of a pain as it was a new contact, not in friends list, so they had to be searched) and clicked ‘Message’ then the message appears correctly, but as you can see if I go to Victoria’s page and click ‘Message’ then her replies still don’t show.

As someone who gets a lot of contact from potential clients for photography work through Facebook, this is very concerning that I may be missing work entirely or not getting back to people in a timely manner because it happens to take me a while to notice them on the mobile, despite having checked the website maybe 5 times since the message was sent. I’m going to be keeping a close eye on both mobile and website for the foreseeable future, to make sure I don’t miss anything, but I’ll be using other methods of communication wherever possible to avoid problems.

I’ve no idea yet if this is only happening on Android, or if it is something that is affecting iOS as well, but I would definitely be interested in hearing from people in comments how theirs compare correctly across the two. I would suspect it is something more than just an Android problem, as the same omissions appear if I view through http://m.facebook.com which is the wap friendly site designed for more basic mobile phones.

~Shepy

The situation till now

That article has caused a lot of buzz over the past two days, I have seen massive numbers of people coming to the site through it, and plenty of comments (both on the post itself and on twitter). I still don’t think the issue is done though and there seems to be a lot of misinformation about the situation, the responses and the general malaise about the whole issue.

As a quick recap for those that don’t want to click through to the original article, in a nutshell, Twitpic edited their terms of service from a simple “You own the rights to your photos” to a rather more intrusive “You own the rights, but grants us essentially the right to do whatever we like” (I’m obviously paraphrasing here). This understandably caused a massive uproar on the internet, not least amongst those who make a living from their creative talents such as photographers and designers. One of the most interesting things I find about this change to the terms of service is the lack of the communication, the attempt to almost slip this change in through the side door. I saw no mention of this in the email address I have associated with Twitter (which presumably as a once authorised service Twitpic had access too) nor did I see mention of this on the Twitpic blog (where as if Twitter, Facebook, Ebay etc etc decide to change their TOS then I get several mails before and on the date of change).  This was simply a change that was decided upon, implemented and quietly added to the terms of service the site with no announcement.  I personally would not have even been aware had I not noticed a tweet from @iA regarding the matter.

What’s happened in the last 48 hours.

Well, things have gone quite mental in a few places regarding this issue, blog posts have been made aplenty, news articles have sprung up and much has been said and discussed on Twitter. Twitpic themselves even decided to bring something to the party, with a response on their own blog, though more on this later. I’ve had a variations in comments from ‘Thanks for letting me know’ to ‘You couldn’t be more naive’, all of which are there on the original post if you would like to go see the counter arguments (I’m firmly against censorship, I always leave all comments as they were posted).

Whilst obviously I don’t have access to the actual numbers of people using the various services available for posting pictures to Twitter, I have seen much commenting from people saying they wont use Twitpic any more, and I’ve seen a definite increase in the number of links I am seeing to pictures on other services.

I also find it interesting to note that a deal between Twitpic and WENN has been announced, a deal that will facilitate the sale of images posted by celebrities to Twitpic to the various news outlets via a licensing deal through WENN. This is exactly the kind of thing I was worried about, the sub-license and sale of images, and although this appears to be only geared towards images posted by celebrities at the moment the conditions in the TOS that allow for this equally apply to each and every user of the service.

The Twitpic Blog

As mentioned previously, Twitpic posted on their blog to state that they apologised for the new terms that were posted, and they they were wildly misunderstood, which was a deft move on their part I feel.  See, what most people don’t realise is that the initial change to the TOS for Twitpic also included a paragraph that stated:

You may not grant permission to photographic agencies, photographic libraries, media organizations, news organizations, entertainment organizations, media libraries, or media agencies to retrieve from Twitpic for distribution, license, or any other use, content you have uploaded to Twitpic.

(Paragraph copied from IanVisits)

This seems to have been misconstrued as meaning if you uploaded an image to Twitpic, then you were no longer free to license or sell that image anywhere else. I don’t read it as that, and this is where I think the confusion has entered into the matter. I read that as meaning that if you do sell this image to anyone or anywhere else, then you must provide that image directly to the buyer yourself, and can not direct them to Twitpic to retrieve the image.

I think that it is this paragraph or clause that the Twitpic blog post refers to, and it is this which they apologise for the confusion about, not the new clauses that still remains to this moment, the clauses which I discussed in the previous article. They did however get a lot of mileage out of people thinking that this blog post referred to the points I, and others, made about the grant of license to images.

I also find it really interesting to note that of all of the posts on the first page of the Twitpic blog (at time of writing) there are only two posts that have commenting disabled; the one about the changes to the copyright, and one which is a job vacancy advert (and therefore requires no reply). I would have thought that if this really was an issue that they thought had been taken wrongly and that they wanted to clear up, then they would have allowed commenting and addressed the issues that visitors brought up, rather than just shutting up shop and hoping that the retraction of a mistake would be taken as the back tracking on the issue that most think it is, when (in my opinion) they are actually talking about a clause that most don’t even know existed.

Defending the clauses

I’ve had a few comments through various channels that these clauses are needed to operate the business and provide the service to which their users have signed up, but I disagree with this idea. Things such as “They need to sublicense for their bandwidth provider to carry the content” doesn’t ring true when it could have easily been worded as “our third party infrastructure” or “our suppliers” rather than “successors and affiliates” (affiliate marketing, familar term to anyone?). Claiming that Facebook made this same mistake and didn’t withdraw their terms is simply wrong, if you look at the TOS that Facebook initially tried to push through it claimed rights to derivative works, something that it no longer does in it’s terms. Part of the problem here is that people are accepting too much as a means of providing a service, such as thinking that derivative works is needed to provide an image service. A thumbnail (in the USA at least, where Twitpic is based) has already been classed as a transformative change (See Leslie A. Kelly v. Arriba Soft Corporation) as it is a change that provides additional functionality to the user, and as such is transformative in providing information in a way it was not previously available. A company such as Twitpic does not require a derivative license to be able to provide their service, but they do need it to be able to modify and republish the image in other formats.

So what happens now?

Personally I am still adamant on the statement that I have left Twitpic, and will no longer use their service. I doubt I would even return now if they change the terms back to what they were prior to the 4th of May because I have lost faith in the company for the very fact that they have brought in these clauses and the fact they neglected to announce the changes to their users.

I have personally settled on Posterous, though I have seen others going to other services which have even more friendly terms of service (Pesterous claims reproduction rights in line with their advertising of their own business, I have no issue with this, it is standard practise for me as a photographer to do this with portfolio photographs).

I guess my final advice is to carefully think about the images you are posting, how much you value them, and what would happen if they were reproduced without your input or decision on where they could be used (as is what you are essentially agreeing to in some of the TOS). If you’re comfortable with the terms then go right ahead, make an account and start posting (some of them can even import your old Twitpic images!), but if you’re not happy for whatever reason then keep shopping around till you find one you do agree with.

We have a plethora of services and choice for almost every aspect of our on line lives, and I firmly believe that it is through voting with our feet and moving away from services that make poor decisions and fail to respect their users that we will eventually create a system in which we are considered and catered for when changes like this are discussed in boardrooms, and not just tied in to terms that are very much one sided through clicking an ‘I Agree’ button.

~Shepy

I saw a retweet of an update frorm @iA this afternoon which pointed me towards the terms of service of Twitpic stating that as of 4th of May they were claiming copyright license on all images uploaded to their service.  Understandably annoyed at this, I followed the link and had a read, to find the following paragraph (emphasis mine):

You retain all ownership rights to Content uploaded to Twitpic. However, by submitting Content to Twitpic, you hereby grant Twitpic a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the Content in connection with the Service and Twitpic’s (and its successors’ and affiliates’) business, including without limitation for promoting and redistributing part or all of the Service (and derivative works thereof) in any media formats and through any media channels. You also hereby grant each user of the Service a non-exclusive license to access your Content through the Service, and to use, reproduce, distribute, display and perform such Content as permitted through the functionality of the Service and under these Terms of Service. The above licenses granted by you in media Content you submit to the Service terminate within a commercially reasonable time after you remove or delete your media from the Service provided that any sub-license by Twitpic to use, reproduce or distribute the Content prior to such termination may be perpetual and irrevocable.

What this means

That first bold bit there essentially says they can do whatever they like with the image, at no cost, including selling it or transferring their license to any and all third parties which they chose, including the ability to make derivatives works (which would cover removing any watermark you may happen to have placed on the image).

The second bold bit basically covers them for anyone they like to be able to use their images, you have no say in who can use or license the image.

The third emphasis says that even if you delete the image, if they already have a sublicense in place then there is nothing you can do about it, and that license will still stand.

Imagine these scenarios:

• You happen to be there when something major happens, they can sell your images to the news services.
• You upload images of a friend, they sell those images and they are used without yours or your friends permission to advertise something unsavoury or adult.
• Your image / likeness is used to promote a product or service you feel strongly against (a pregnant mother in anti-abortion ads, when she is pro-choice)
• Those “Meet singles in your area” adverts you see on the right of Facebook, how would your husband feel to see you in one of those?
• A photo you took of a product is used, and the trademark owner decides to sue for that use, you as copyright owner could potentially be dragged in to it.
• An image of yours is used in a negative way, and the stigma of that is associated with you name which could affect business if you are a photographer.

Those are just the uses I can think of off the top of my head, there are bound to be plenty more.

Reaction

I immediately deleted all of the images I had on Twitpic, thankfully none of which had been uploaded since the change of terms on the 4th, and removed Twitpic’s right to access my twitter account. I uploaded one final picture which simply said in huge letters “Bye Twitpic You Bunch Of Thieving Bastards” which I can categorically say I have no qualms about if they wish to sublicense or allow the use of by anyone, anywhere.

One of the main reasons I used Twitpic was because of it’s ubiquitous support in Twitter clients, and the fact I had been using it for so long (813 days according to the oldest picture I deleted), and that it is the only choice for picture service native within the Android version of Tweetdeck which I use.

What to use instead

Thankfully the wonderful @alittlebit recommend Posterous, which I have now signed up for and will be using in the future to post pictures on Twitter, probably as well as a few short video clips and suchlike.

Like Twitpic it automatically sends out the tweet for me (as well as also being able to automatically post to a myriad of other services), and there is a handy app for my Android phone which will upload them for me, so in usability terms I lose nothing, but gain the ability to also upload pics via email and to add extra content or information to the post / pic before it is published and obviously retain the copyright, as it should be.

And just in case you’re wondering what Posterous terms of service have to say on the same matter;

You shall retain all of your ownership rights in your submissions; however, by submitting material to Posterous you grant Posterous fully transferable rights to use, reproduce, distribute, modify, transmit, prepare derivative works of, display and produce the material in connection with Posterous and Posterous’s business, but solely in accordance with these Terms of Use and our Privacy Policy.

The key difference there is that you are granting license only in so far as may be deemed appropriate for the promotion and advertising of the Posterous service (which is likely to cover them for screenshots in news magazines etc), and not that they can sub license the images for any other use.

Final thoughts

You think that Twitpic would have learned from the mistake that Facebook made when they attempted much the same thing last year, and then very quickly withdrew the clause from the terms of service after massive outcry from their userbase. You can bet that Twitpic have something in mind for this, you don’t add something like that to your terms of use without having a reason to do so, but I for one don’t intend to be around to find out what that is, and hopefully neither will you.

If you want to sign up with Posterous you can do so by clicking here

You can follow me on twitter by clicking here.

UPDATE: There is a follow up to this article here: http://www.shepy.co.uk/blog/2011/05/twitpic-why-i-wont-go-back-and-why-you-shouldnt-either-a-follow-up/

~Shepy