Since that post there was a generic update from Travelodge stating that no financial data had been accessed, and that engineers were working round the clock to find out what had happened and update customers. (Basically a generic email full of platitudes, trying to sweep the issue under the carpet and keep everyone calm). That update has simply not happened. Despite repeated prompting of the Travelodge UK twitter account, the best I have received is a week ago I was told that an update would be out ‘shortly’ . I’m guessing that their definition of shortly and mine differ wildly, as I certainly don’t class a week of no action or info as shortly.

I’ll personally never stay in a Travelodge again, I simply don’t trust them with my data any more, and their lack of updates and quite frankly pathetic handling of this issue has burned what little trust or respect I may have had in them after the breach. Other large companies that have suffered data breaches in recent months have announced within a week, usually days, what has happened, what data was accessed and such like. Without this information the customers who’s details have been accessed have not got the ability to take any action to prevent further security problems that may arise from the data leaked, or even identity theft if address details were compromised. Over 4 weeks to make a full and frank disclosure to customers who have potentially had their information compromised is simply not acceptable. The lack of such update tells me that Travelodge either have inadequate systems and can’t securely protect data and audit any breach, or they simply don’t care enough to tell their customers in a timely fashion. They seem more intent on simply forgetting about the issue and hoping everyone else does, so that they don’t get any more bad publicity out of the problem.

I’d urge others to seriously consider their choice of hotel in the future, and avoid Travelodge if at all possible. if they can’t even tell us what data has been accessed or how it happened, how can we trust their word and be sure that financial data has not been accessed and therefore trust them enough to input your card details again? (and that is before you even consider that you might get your card charged twice, as they announced yesterday)

EDIT

Seems there was an update, from this, they just didn’t bother mailing anyone about it, just noticed this on their twitter feed. http://twitter.com/#!/TravelodgeUK/status/89388586784407553

It’s still entirely unacceptable in my eyes, that they haven’t even bothered to mail customers about this, that it took so long, that no numbers of how many accounts were breached but first and most importantly that they had customer details in an unencrypted database in the first place. Especially in such a database that seemingly would have no way of easily auditing or verifying who had accessed the data if it took them over 3 weeks to find out!

~Shepy

~Shepy

The situation till now

That article has caused a lot of buzz over the past two days, I have seen massive numbers of people coming to the site through it, and plenty of comments (both on the post itself and on twitter). I still don’t think the issue is done though and there seems to be a lot of misinformation about the situation, the responses and the general malaise about the whole issue.

As a quick recap for those that don’t want to click through to the original article, in a nutshell, Twitpic edited their terms of service from a simple “You own the rights to your photos” to a rather more intrusive “You own the rights, but grants us essentially the right to do whatever we like” (I’m obviously paraphrasing here). This understandably caused a massive uproar on the internet, not least amongst those who make a living from their creative talents such as photographers and designers. One of the most interesting things I find about this change to the terms of service is the lack of the communication, the attempt to almost slip this change in through the side door. I saw no mention of this in the email address I have associated with Twitter (which presumably as a once authorised service Twitpic had access too) nor did I see mention of this on the Twitpic blog (where as if Twitter, Facebook, Ebay etc etc decide to change their TOS then I get several mails before and on the date of change).  This was simply a change that was decided upon, implemented and quietly added to the terms of service the site with no announcement.  I personally would not have even been aware had I not noticed a tweet from @iA regarding the matter.

What’s happened in the last 48 hours.

Well, things have gone quite mental in a few places regarding this issue, blog posts have been made aplenty, news articles have sprung up and much has been said and discussed on Twitter. Twitpic themselves even decided to bring something to the party, with a response on their own blog, though more on this later. I’ve had a variations in comments from ‘Thanks for letting me know’ to ‘You couldn’t be more naive’, all of which are there on the original post if you would like to go see the counter arguments (I’m firmly against censorship, I always leave all comments as they were posted).

Whilst obviously I don’t have access to the actual numbers of people using the various services available for posting pictures to Twitter, I have seen much commenting from people saying they wont use Twitpic any more, and I’ve seen a definite increase in the number of links I am seeing to pictures on other services.

I also find it interesting to note that a deal between Twitpic and WENN has been announced, a deal that will facilitate the sale of images posted by celebrities to Twitpic to the various news outlets via a licensing deal through WENN. This is exactly the kind of thing I was worried about, the sub-license and sale of images, and although this appears to be only geared towards images posted by celebrities at the moment the conditions in the TOS that allow for this equally apply to each and every user of the service.

The Twitpic Blog

As mentioned previously, Twitpic posted on their blog to state that they apologised for the new terms that were posted, and they they were wildly misunderstood, which was a deft move on their part I feel.  See, what most people don’t realise is that the initial change to the TOS for Twitpic also included a paragraph that stated:

You may not grant permission to photographic agencies, photographic libraries, media organizations, news organizations, entertainment organizations, media libraries, or media agencies to retrieve from Twitpic for distribution, license, or any other use, content you have uploaded to Twitpic.

(Paragraph copied from IanVisits)

This seems to have been misconstrued as meaning if you uploaded an image to Twitpic, then you were no longer free to license or sell that image anywhere else. I don’t read it as that, and this is where I think the confusion has entered into the matter. I read that as meaning that if you do sell this image to anyone or anywhere else, then you must provide that image directly to the buyer yourself, and can not direct them to Twitpic to retrieve the image.

I think that it is this paragraph or clause that the Twitpic blog post refers to, and it is this which they apologise for the confusion about, not the new clauses that still remains to this moment, the clauses which I discussed in the previous article. They did however get a lot of mileage out of people thinking that this blog post referred to the points I, and others, made about the grant of license to images.

I also find it really interesting to note that of all of the posts on the first page of the Twitpic blog (at time of writing) there are only two posts that have commenting disabled; the one about the changes to the copyright, and one which is a job vacancy advert (and therefore requires no reply). I would have thought that if this really was an issue that they thought had been taken wrongly and that they wanted to clear up, then they would have allowed commenting and addressed the issues that visitors brought up, rather than just shutting up shop and hoping that the retraction of a mistake would be taken as the back tracking on the issue that most think it is, when (in my opinion) they are actually talking about a clause that most don’t even know existed.

Defending the clauses

I’ve had a few comments through various channels that these clauses are needed to operate the business and provide the service to which their users have signed up, but I disagree with this idea. Things such as “They need to sublicense for their bandwidth provider to carry the content” doesn’t ring true when it could have easily been worded as “our third party infrastructure” or “our suppliers” rather than “successors and affiliates” (affiliate marketing, familar term to anyone?). Claiming that Facebook made this same mistake and didn’t withdraw their terms is simply wrong, if you look at the TOS that Facebook initially tried to push through it claimed rights to derivative works, something that it no longer does in it’s terms. Part of the problem here is that people are accepting too much as a means of providing a service, such as thinking that derivative works is needed to provide an image service. A thumbnail (in the USA at least, where Twitpic is based) has already been classed as a transformative change (See Leslie A. Kelly v. Arriba Soft Corporation) as it is a change that provides additional functionality to the user, and as such is transformative in providing information in a way it was not previously available. A company such as Twitpic does not require a derivative license to be able to provide their service, but they do need it to be able to modify and republish the image in other formats.

So what happens now?

Personally I am still adamant on the statement that I have left Twitpic, and will no longer use their service. I doubt I would even return now if they change the terms back to what they were prior to the 4th of May because I have lost faith in the company for the very fact that they have brought in these clauses and the fact they neglected to announce the changes to their users.

I have personally settled on Posterous, though I have seen others going to other services which have even more friendly terms of service (Pesterous claims reproduction rights in line with their advertising of their own business, I have no issue with this, it is standard practise for me as a photographer to do this with portfolio photographs).

I guess my final advice is to carefully think about the images you are posting, how much you value them, and what would happen if they were reproduced without your input or decision on where they could be used (as is what you are essentially agreeing to in some of the TOS). If you’re comfortable with the terms then go right ahead, make an account and start posting (some of them can even import your old Twitpic images!), but if you’re not happy for whatever reason then keep shopping around till you find one you do agree with.

We have a plethora of services and choice for almost every aspect of our on line lives, and I firmly believe that it is through voting with our feet and moving away from services that make poor decisions and fail to respect their users that we will eventually create a system in which we are considered and catered for when changes like this are discussed in boardrooms, and not just tied in to terms that are very much one sided through clicking an ‘I Agree’ button.

~Shepy

I saw a retweet of an update frorm @iA this afternoon which pointed me towards the terms of service of Twitpic stating that as of 4th of May they were claiming copyright license on all images uploaded to their service.  Understandably annoyed at this, I followed the link and had a read, to find the following paragraph (emphasis mine):

You retain all ownership rights to Content uploaded to Twitpic. However, by submitting Content to Twitpic, you hereby grant Twitpic a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the Content in connection with the Service and Twitpic’s (and its successors’ and affiliates’) business, including without limitation for promoting and redistributing part or all of the Service (and derivative works thereof) in any media formats and through any media channels. You also hereby grant each user of the Service a non-exclusive license to access your Content through the Service, and to use, reproduce, distribute, display and perform such Content as permitted through the functionality of the Service and under these Terms of Service. The above licenses granted by you in media Content you submit to the Service terminate within a commercially reasonable time after you remove or delete your media from the Service provided that any sub-license by Twitpic to use, reproduce or distribute the Content prior to such termination may be perpetual and irrevocable.

What this means

That first bold bit there essentially says they can do whatever they like with the image, at no cost, including selling it or transferring their license to any and all third parties which they chose, including the ability to make derivatives works (which would cover removing any watermark you may happen to have placed on the image).

The second bold bit basically covers them for anyone they like to be able to use their images, you have no say in who can use or license the image.

The third emphasis says that even if you delete the image, if they already have a sublicense in place then there is nothing you can do about it, and that license will still stand.

Imagine these scenarios:

• You happen to be there when something major happens, they can sell your images to the news services.
• You upload images of a friend, they sell those images and they are used without yours or your friends permission to advertise something unsavoury or adult.
• Your image / likeness is used to promote a product or service you feel strongly against (a pregnant mother in anti-abortion ads, when she is pro-choice)
• Those “Meet singles in your area” adverts you see on the right of Facebook, how would your husband feel to see you in one of those?
• A photo you took of a product is used, and the trademark owner decides to sue for that use, you as copyright owner could potentially be dragged in to it.
• An image of yours is used in a negative way, and the stigma of that is associated with you name which could affect business if you are a photographer.

Those are just the uses I can think of off the top of my head, there are bound to be plenty more.

Reaction

I immediately deleted all of the images I had on Twitpic, thankfully none of which had been uploaded since the change of terms on the 4th, and removed Twitpic’s right to access my twitter account. I uploaded one final picture which simply said in huge letters “Bye Twitpic You Bunch Of Thieving Bastards” which I can categorically say I have no qualms about if they wish to sublicense or allow the use of by anyone, anywhere.

One of the main reasons I used Twitpic was because of it’s ubiquitous support in Twitter clients, and the fact I had been using it for so long (813 days according to the oldest picture I deleted), and that it is the only choice for picture service native within the Android version of Tweetdeck which I use.

What to use instead

Thankfully the wonderful @alittlebit recommend Posterous, which I have now signed up for and will be using in the future to post pictures on Twitter, probably as well as a few short video clips and suchlike.

Like Twitpic it automatically sends out the tweet for me (as well as also being able to automatically post to a myriad of other services), and there is a handy app for my Android phone which will upload them for me, so in usability terms I lose nothing, but gain the ability to also upload pics via email and to add extra content or information to the post / pic before it is published and obviously retain the copyright, as it should be.

And just in case you’re wondering what Posterous terms of service have to say on the same matter;

You shall retain all of your ownership rights in your submissions; however, by submitting material to Posterous you grant Posterous fully transferable rights to use, reproduce, distribute, modify, transmit, prepare derivative works of, display and produce the material in connection with Posterous and Posterous’s business, but solely in accordance with these Terms of Use and our Privacy Policy.

The key difference there is that you are granting license only in so far as may be deemed appropriate for the promotion and advertising of the Posterous service (which is likely to cover them for screenshots in news magazines etc), and not that they can sub license the images for any other use.

Final thoughts

You think that Twitpic would have learned from the mistake that Facebook made when they attempted much the same thing last year, and then very quickly withdrew the clause from the terms of service after massive outcry from their userbase. You can bet that Twitpic have something in mind for this, you don’t add something like that to your terms of use without having a reason to do so, but I for one don’t intend to be around to find out what that is, and hopefully neither will you.

If you want to sign up with Posterous you can do so by clicking here

You can follow me on twitter by clicking here.

UPDATE: There is a follow up to this article here: http://www.shepy.co.uk/blog/2011/05/twitpic-why-i-wont-go-back-and-why-you-shouldnt-either-a-follow-up/

~Shepy

I’ve mentioned here before about how little trust I have for logging exact co-ordinates of anything to any kind of permanent or shared information, but this takes it one step further. At least with all of the technologies and uses that I have discussed so far, you have the option to select not to record or share this information, they are ‘opt in’ features. This isn’t, this is enabled by default and has no option to disable it and does it without your knowledge.

Personally I think this is a massive violation of privacy, and could potentially lead to a lot of problems later down the line, to give a few examples:

• You are suspected in a crime, the police demand and seize your phone. They can legally demand that you had over the key to any encrypted information that you have, under threat of imprisonment, so you can bet your life they can demand this information in the name of evidence.
• You make a claim on your insurance, but they think you may have been going too fast. They demand this file as proof of your location and time stamp (which can be used to factor velocity and trajectory) and refuse to pay out on the insurance without it.
• You are undergoing divorce proceedings, accused of extra curricular activities. The opposing lawyer requests to submit this log into evidence of your whereabouts. Lets say you’ve been to an ‘adult’ store, it bears no relevance in this case, but you can be sure it would be used to bring your credibility into question.
• You lose your rucksack, it has your phone, your wallet and your house keys in it. If you’re unlucky enough not to have any security on your phone then the person who has your house keys and work’s keyswipe card now also has a log that shows two clear clusters of activity around your workplace and home, they know where they keys are for and where they keypass works. Fancy spending a few hours explaining to your boss why they just had 4 laptops stolen and yours is the only keycard used to access the building that night?
• You know that app that you gave permission to access and change files on the storage of your device, and full internet access so it can store it’s pictures and upload them to the net for you to share? Yeah, you also just gave that app the opportunity to send a copy of this file back to wherever it likes for whatever use is so desired.

These are just the first ones I can think of off the top of my head, you can be sure there are more.  If ever there was a reason to get rid of your apple device, and get something more open then this is surely it. This log is even included in the default set for device backup when you chose to do so, as prompted so often, by iTunes. Get a new device, or have to restore your current one for some reason and the log gets restored to the device and continues to log further.

I look forward to seeing what the justification for this is from Apple. Whilst I can understand the need to perhaps cache this information to prevent drain on the battery of constant GPS fixes from various apps, anything more than a 15 minute buffer is entirely overkill and without reason.

You can find more information about this through any one of a number of sites and news sources (google link)

~Shepy

Well, someone decided to take that further, and has come out with some software called Creepy – which given a twitter username or flickr username will trawl through tweets and pics, collate them all together and then present a handy map with times and dates for where that person was / is. (See screenshot in this post)

Now, historic information like this might not be too much of an issue you might think, but what about if it has a massive cluster around two places? Most likely your home and work, a bit more concerning then ?

If you want to have a look, and see what info it shares about you, get yourself along to http://ilektrojohn.github.com/creepy/ and give it a try.

~Shepy

Sadly there seems to be somewhat the starting of a trend of trying to ladle in new features to applications, and not giving any option to disable the new addition. This becomes especially problematic if your new feature takes up valuable screen space on the already limited display of a mobile device, such as with the new trending bar at the top of Twitter for iOS. Another particularly annoying one recently was the inclusion of Deck.ly support into Tweetdeck (though thankfully this was given a disable option shortly after!)

It’s normally not that much extra work or code to add something in to the options to allow users to disable these new features, and might even help you retain userbase. Sure you dont want your options dialogs to be turning into the spanish inquisition, but there has to be some middle ground here. I’ve personally ditched apps both on desktop and mobile in favour of a competitor product because I couldnt tolerate a new feature, and I’m sure I’m not the only one.

So please, I’m begging you, if you codesoftware (mobile / desktop / web, whatever) then please put the decision back with the user as to which features they do and dont have to use or have displayed?

Today I saw a  @paul_a_smith retweeting a link from @arlloyd which was an article, with video on the guardian site showing mounted police charging on the protestors, one of whom is pregnant (and though they had no way of knowing that, they should assume the possiblity of potential risks such as this).  Here is the video from the article:

httpv://www.youtube.com/watch?v=rgxwTF-qeAo&feature=player_embedded

While some of the damage and material loss caused by the protest is deplorable, nothing warrants these people being charged by officers mounted on horses. For the Met Police to then deny that the crowd were charged shows a level of incompetency and underhandedness that is simply unacceptable.

In my opinion, there should be an external investigation which covers:

• Why the order was given to charge
• What risk assessment was done prior to the order
• Why the charge was hidden and denied afterwards
• What injury was caused by this charge
• How will those responsible be brought to task (criminal or professional).

The original article on the Guardian website can be found here for anyone wanting to read more.

~Shepy

A quick image for people who are not familiar with the backscatter machines might help you understand why one might want to opt out of these;

Move your mouse over that, for an invert of the image. That’s an invasive image if ever I saw one, likely recognisable to anyone who know’s that girl, and far beyond what someone should be expected to subject themselves to in order to gain passage through a country’s border. Now whilst we are assured that this type of image is merely to show the capabilities of the machine, and that in actual use the resolution will be dialled back to preserve privacy, there is no 100% guarantee this is done in every airport & installation, and the trust in this statement is damaged more with other statements being proved wrong about their operation;

When these AIT scanners were rolled out there was assurance that no images could be stored, saved or transmitted from these machines (even if you ignore for a moment the ‘Analogue Hole’ of someone being able to photograph the screen), despite a report and spec sheet months prior to launch asserting that they would need these features for ‘training purposes’. Then a few months ago, a federal agency admitted that it routinely saved and transmitted these images; news article here (new window). One guy has even be charged with assault after his co-workers at the airport where he worked at started a tirade of abuse about his genitals after they were seen during training on the device; news article here (new window)

Here is a quick CNN video on the machines:

httpv://www.youtube.com/watch?v=muYh8d70yow

So what happens if you don’t want to go through an AIT machine? Well then you can opt to have a pat down to be checked for concealed items, as has been done for years by police and security officials, right? Wrong, things just got a whole lot worse.

Starting October 29th the TSA in America have began a new pat down procedure, entitled ‘Enhanced Pat Down’ in which the subject will be essentially groped and felt all over to check for suspicious items, which will include genitals and breasts etc being checked.

Here is a video that shows you a little bit more about the new procedures:

httpv://www.youtube.com/watch?v=hrq86qV2x2s

In my opinion, this has gone too far and has firmly overstepped the line from security into an invasion of privacy and affront to the dignity of the passengers, to quote an oft used line:

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. – Benjamin Franklin 1755

It is for this, and other security measures in place such as iris / retina scanning that I refuse to visit the USA, and will continue to do so until (if ever) there is a change. One group is working to try and bring about that change, and is encouraging people to opt out of the AIT scans on November the 24th, which is when a lot of Americans fly home for their Thanksgiving celebrations.  I sincerely hope that this protest has an effect, and starts the ball rolling to bring about changes in these policies, though the realist in me rather worries that it wont, and things will continue unchecked.

If you want more information on the November 24th National Opt Out Day, that can be found here (new window).

Comments and suggestions always welcome.

UPDATE: A friend on facebook commented, to object to TSA intrusion call state senator before Nov 17th hearing – info @ http://is.gd/h1YWd

~Shepy

Those are just three examples from page refreshes. Dont get me wrong, I hate spam as much as the next guy, but if your captcha is so bad that it is unreadable, or even causes someone to have to stop for 20 seconds to try and read it, then your system is broken. At least with systems like re-captcaha there is a refresh button so you can quickly and easily get a new one if the current one is too bad, but no such option exists with google other than refreshing the page.

Come on google, sort it out.

~Shepy