Spyware at Café París
Update: I'd just like to clarify that it is currently my opinion that the café is probably mostly innocent in this scenario. They are not and cannot be expected to be networking security specialists - the sales people and technicians at Síminn should have known better than to deploy spyware like this on an open public network.
I am preparing a complaint to the Icelandic Post and Telecom Adminstration, where I will ask them to explore how common surveillance of this type is at both of the major telcos, and see if they can make some sort of statement on the legality of these things.
If you read between the lines on the Websense website, it's pretty clear that this software intercepts and monitors every single request made to any web-site, recording in great detail who accessed what and when, often adding tracking cookies to each person's browser. This is of course done in the name of 'security', but it is basically an extremely powerful and invasive surveillance tool.
I discovered this, because apparently they've configured the software to intercept attempts to access Facebook - including encrypted HTTPS connections.
This is extremely un-cool, as people generally should have an expectation that any HTTPS communication is private and secure. Of course, if they hadn't gone too far and attempted to intercept my encrypted Facebook connection, I would have had no idea I was being monitored to this extent.
I complained to the shift manager at the café and complained on Twitter as well - the shift manager blamed Síminn and Síminn replied on Twitter, blaming the café. No surprises there...
Apparently, this sort of filtering has become increasingly common in Iceland (and elsewhere) of late, and I really feel it should not be tolerated - in fact, I doubt it is legal at all unless some relatively strict disclosure requirements are fulfilled, and maybe not even then (see Law 2002.30, articles 12.3 og 16 and Law 2003.81, article 47).
Now, if corporations decided to do this sort of thing to their employees, that is one thing, and there are laws about disclosure in such cases. But deploying this kind of spy-ware on open public networks like at this Café is another matter entirely.
We are all (or should be) entitled to privacy on-line and our legitimate connections should not be monitored or filtered in any way without our consent. So please complain loudly whenever you see this kind of thing, and vote with your wallets.
Also, I highly recommend using encrypted connections whenever possible and installing the Certificate Patrol extension for Firefox, it will warn you when site encryption certificates change unexpectedly, which can help you detect and respond to attempts to spy on you (just keep in mind that some certificate changes are normal, and unfortunately a few high-profile examples such as Google actually change them relatively frequently).
- http://www.dv.is/frettir/2011/6/30/fair-hafa-adgang-ad-gognum-netvardarins/ (PDF snapshot from 2011-07-01)
- http://www.dv.is/frettir/2011/6/29/netvordurinn-njosnar-um-netnotendur/ (PDF snapshot from 2011-06-29)
(The following two got yanked, for whatever reasons. Hopefully they will reappear when the journalists have finished doing more homework.)
- http://www.dv.is/frettir/2011/6/29/cafe-paris-njosnar-um-netnotendur/ (screenshot of original)
- http://www.visir.is/njosnad-um-netnotendur-a-islenskum-kaffihusum/article/2011110628830 (screenshot of headline)