back to article What a Hancock-up: MP's social network app is a privacy disaster

Move over, Zuckerberg, there's a new social media overlord in town: grime aficionado and Tory MP Matt Hancock. In his new role as the UK government's digital secretary, Matt Hancock has decided to up his tech game by launching his very own app – but reports have emerged that it doesn't adhere to the data protection policies he …

  1. Aladdin Sane

    We call App Britain

    I thought this was Peter Mannion?

    1. wolfetone Silver badge

      Re: We call App Britain

      I've looked, he hasn't said Boo to Nanny.

      Yet.

  2. Blotto Silver badge

    I guess he gets points for trying?

    I guess he gets points for trying?

    1. John Sager

      Re: I guess he gets points for trying?

      No! If he wanted to try, then surely he could get a lot better advice on how to go about it, though consultancy rates in this area are not cheap. Now, of course, he has crapped all over what little reputation he may have had. Perhaps a decent web security consultant might have been a better investment?

      1. Destroy All Monsters Silver badge

        Re: I guess he gets points for trying?

        Not try. Do. There is no try.

        No points.

      2. Byz

        Re: I guess he gets points for trying?

        "Perhaps a decent web security consultant might have been a better investment?"

        I think an "app" security consultant would be better as apps also store data on the phone and synchronise between devices, which doesn't feature in web security.

        I have trained so many web developers over the years in iOS programming and they are blown away about how much more complicated it is dealing with a device that can hold data and process it locally (plus synchronise through a cloud that they have no control over).

        Web security is a very centralised view of the world, app development is far more distributed and can catch you out.

        He probably had a web security consultant, which might be where he went wrong in the first place.

        :)

        1. Prst. V.Jeltz Silver badge

          Re: I guess he gets points for trying?

          My guess is that whoever of his assistants was in charge of coming up with this application did not know any better and/or couldn't care less about the finer points of online communication and publishing, neither at a technical (somewhat understandable) nor at a legal (less understandable) level.

          Ok Boff, I am now Digital Secretary and you I'm promoting you to "my assistant" . First things first , As Digital Secretary I should make my mark by having my own "app" to engage with my public on issues of Digital security , privacy , industry , digital security, ICT developments etc....

          So nip down the market and get the cheapest / first one you see.

        2. Anonymous Coward
          Anonymous Coward

          Re: I guess he gets points for trying?

          > apps also store data on the phone and synchronise between devices, which doesn't feature in web security.

          I don't really agree. Both local storage, whether transient or persistent, and multiple end-point synchronisation are features of web development also.

    2. Anonymous Coward
      Anonymous Coward

      Re: I guess he gets points for trying?

      My guess is that whoever of his assistants was in charge of coming up with this application did not know any better and/or couldn't care less about the finer points of online communication and publishing, neither at a technical (somewhat understandable) nor at a legal (less understandable) level.

      Even if you are concerned about costs, as you legitimately should, and end up choosing a made-to-measure application rather than going fully bespoke, you would still want to make sure that it meets both your requirements and regulatory ones. Especially if you are the one making the law.

    3. Doctor Syntax Silver badge

      Re: I guess he gets points for trying?

      Don;t you mean for being trying?

    4. Sam Therapy
      Thumb Down

      Re: I guess he gets points for trying?

      Nul point.

  3. Anonymous Coward
    Anonymous Coward

    Like the privacy policy on my new LG TV

    Says data will be shared with third parties but cannot specify, and may provide them with unspecifiable information about what I do with the set microphone data etc. It, in essence says, anything we capture or infer from your presence here can be shared with anyone, in any way, and we can't tell you about it.

    I havn't been brave enough to accept that one with the loss of "suggested content" feature being the only obvious casualty.

    I am not a lawyer/solicitor but the policy wording is so vague as to make it not worth writing all the words they wasted below with details.

    Question is, is there anyone to complain to (that may care?)

    1. Dan 55 Silver badge

      Re: Like the privacy policy on my new LG TV

      Yes, but they're probably in Germany.

    2. Commswonk

      Re: Like the privacy policy on my new LG TV

      @ AC: It, in essence says, anything we capture or infer from your presence here can be shared with anyone, in any way, and we can't tell you about it.

      You mentioned a "policy"; what "policy" is it, and did you find out about it before or (more likely IMHO) after you had paid for it?

      The expression "unfair contract terms" springs to mind.

      WTF is the world coming to when you buy what is essentially a domestic appliance and it comes with a "privacy policy"?

      1. Dan 55 Silver badge

        Re: Like the privacy policy on my new LG TV

        Well, there's always the "don't connect it to the net and use a stick/Pi instead" option. The Smart TV apps will probably stop working in three years anyway.

    3. Doctor Syntax Silver badge

      Re: Like the privacy policy on my new LG TV

      "Question is, is there anyone to complain to (that may care?)"

      Trading Standards? ICO? But best wait until after May 18th.

      1. Prst. V.Jeltz Silver badge

        Re: Like the privacy policy on my new LG TV

        Well for me the TV is a one way device. I have to make do with having my privacy invaded at a different stage.

    4. post-truth

      Re: Like the privacy policy on my new LG TV

      In reverse order:

      "Question is, is there anyone to complain to (that may care?)"

      Yes (if they don't tell you about that in advance of 25 May, they're in breach anyway). Any or all of the relevant Supervisory Authorities, for a start. Choose from the 46-odd regulators, for a start (28 Member State data protection.agencies, see http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm, plus the EDPS, plus the German lander authorities).

      Then there's the Article 80-promoted non-profit class action companies, such as Max Schrems' http://noyb.eu.

      Then there's the Member State Courts. If you can't work out which of your rights have been breached, just plead in respect of the "washup" Article 79. A small claim is sufficient (if your jurisdiction supports that) and is recommended as they are likely to eliminate all legal costs beyond the (usually recoverable if you win) dozen-beers money the Court charges you to file the claim. Post-GDPR the legal burden of proof is now on the defendant, so you arguably don't have to prove a thing beyond providing factual context, it's for them to prove their own compliance. (In England the standard thing is to add a claim, alongside the basic DPA 1998 or now the GDPR/DP Bill, in the new worldwide English tort of misuse of private information, but that uses tort rules so you'd have to prove stuff to Court standards of proof so don't try that in DIY litigation).

      "I am not a lawyer/solicitor but the policy wording is so vague as to make it not worth writing all the words they wasted below with details."

      If that is right, then it might be inferred that their "privacy policies" already clearly breach Article 12 GDPR, despite it being enacted into all Member States' laws since 2016. To detect breach you're not required to be a lawyer any more, that's the whole point.

      Article 12(1) of the GDPR (see p39 http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN), specifying the modalities of information to be provided to data subjects, requires that information be provided in, inter alia, "... concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child...". Ambiguity, or failure to address any material point of the Articles 13/14 Notification requirements, arguably equals non-compliance. In turn non-compliance might equal fines (from any of the 46 empowered regulators in the EU) plus criminal prosecution of directors (conceivably including overseas following extradition). Even the CPS in England has prosecuted data protection offences using anti-racketeering law (POCA) to confiscate profits. Plus private injunctive relief (money for old rope), and compensation/class actions, including tort in or from common law jurisdictions.

      Some other fun stuff controllers must get right in advance: see for example https://www.gdpr360.com/gdpr-what-are-the-lawful-bases-under-which-data-can-be-processed

      Pro tip: avoid complaining until 1st July 2018 if you can resist. For technical reasons, waiting five weeks may "improve" evidence against defendants, both qualitatively and quantitatively.

      HTH

      Nothing communicated or referenced above is legal advice.

    5. Jamie Jones Silver badge

      Re: Like the privacy policy on my new LG TV

      Question is, is there anyone to complain to (that may care?)

      https://noyb.eu

  4. Tigra 07
    Thumb Up

    "Uninstall Matt Hancock"

    Yeah, sure, let's have a local election.

    1. Aladdin Sane
      Headmaster

      I think you mean by-election.

      1. Tigra 07
        Headmaster

        RE: Aladdin

        No, i did not. I accept the word is interchangeable with By-Election though.

        https://www.electoralcommission.org.uk/find-information-by-subject/elections-and-referendums/upcoming-elections-and-referendums

        "Local by-elections can take place at any time of year"

        1. Aladdin Sane

          Re: "Local by-elections can take place at any time of year"

          That specifically refers to local council by-elections.

          Local by-elections are when a council seat (parish, town etc.) requires filling. Parliamentary by-elections occur following a vacancy arising in the House of Commons.

          1. Tigra 07

            Re: "Local by-elections can take place at any time of year"

            In that case I still meant local election as only people *local* to that MP, as in, in that borough can vote.

            Could have said By-election too, but it's a bit late for that now. Thanks

            1. robidy

              Re: "Local by-elections can take place at any time of year"

              I think you'll find local refers to the political level not the geographic area.

              I know people who live abroad in the US who vote in MP elections...that would make the term local interchangable with global.

  5. Stuart Castle Silver badge

    Even if this app is entirely above board (and the apparent lack of a data protection registration makes me wonder if it is), then what is the point?

    Yes, in theory, it enables us to approach the MPs more easily, but what about in practice? In practice, it'll probably go the same way as other dedicated social networks (such as Microsoft's Yammer), in that it'll become a place where we can get a little valuable information and a lot of noise. It is likely to ultimately become just one thing on a long list of things we need to check for messages, and another app we can leak data to.

    At the very least, if the MPs aren't responding to existing methods of communication (email, fax, phone, snail mail, twitter and facebook), then adding one more to the list isn't going to make them more likely to respond.

    1. Tigra 07
      Thumb Up

      RE: Stuart

      Direct Democracy:

      "Just got told to fuck off by my local MP and called a lazy waste of spunk LOL", "Then he liked some photos of my mum sunbathing in Greece and said "nice tits" and blocked me LOL"

      1. robidy

        Re: RE: Stuart

        Is he that Labour chap from Sheffield that beat Nick Clegg...no ones seen him for months...think the local paper has a reward waiting for u.

    2. emullinsabq
      Facepalm

      playground thinking

      then what is the point?

      Being from the US, I don't know who this guy is and don't really care. But if the problem is nobody is listening to you, the solution isn't a new platform.

      More likely, he rarely says anything worth listening to.

      Anyone who can fix that with an app wins the internet.

      1. kuiash

        Re: playground thinking

        He's my local MP. All I can say about him is he's very good at being the very important Matt Hancock and getting his face in the local papers.

        A whole f'n page about him, his likes and dislikes, how he likes walking, big picture... like bloody Hello magazine or something. I'm giving them a few weeks to see if they have a right-to-reply page for the other local politicians... all in the name of fairness (no chance in hell!)

        I don't really object to him... he doesn't really do anything to object to, or applaud. Just another stuffed suit with the appropriate vocab.

        1. Anonymous Coward
          Anonymous Coward

          Re: playground thinking

          He is a Tory. That is enough for decent people to object to.

          1. TheMeerkat

            Re: playground thinking

            By “decent people” you mean followers of hateful left-wing ideology who still have not grown up and believe in Magic Money Tree?

            1. theN8

              Re: playground thinking

              You mean the magic money tree raped by MayBot to keep the DUP's peckers up and in line?

  6. This post has been deleted by its author

  7. James Ashton

    "May" bad for privacy.

    ' "May" being a word that European data privacy watchdogs have strongly discouraged companies using'

    "May" also being a name they probably feel strongly about as well.

    1. Doctor Syntax Silver badge

      Re: "May" bad for privacy.

      "May" also being a name they probably feel strongly about as well.

      May also being a month they feel rather chuffed about.

  8. Yet Another Anonymous coward Silver badge

    A bug in the iOS version

    Surely if I deny it permission to access photos and it can - that is a bug in the OS not the app?

    Or are permissions on iOS purely an honours system ?

    1. Dan 55 Silver badge

      Re: A bug in the iOS version

      If the app uses UIImagePickerController then the app asks the OS to ask the user to choose a photo, and if one is chosen then the app is given access to that one photo.

      This is different from the app going through the gallery and opening as many photos as it likes with possibly no warning given to the user, which is what the photos permission covers.

    2. I&I

      Re: A bug in the iOS version

      Dishonourable app. Presumably not the only one? Stupid OS?

  9. tiggity Silver badge

    coincidentally

    By an amazing coincidence, Sharon Brittan (a director of Disciple Media Ltd) is on same school (Michaela) governors board as Tory MP Suella Fernandes.

    But being minister for "digital" & taking his job seriously there's obviously no way Hancock would have gone for friend of one of his fellow Tory MPs approach in picking app designers, no he would have rigorously researched this and ensured a best practice solution was created, and he decided Disciple Media met that brief

    Cronyism or incompetence?

    Or both..

    1. Adam 52 Silver badge

      Re: coincidentally

      Much as I hate to defend an MP:

      - being on the same board of governors as another MP is a fairly tenuous link.

      - personal recommendation is a good way of selecting small value projects.

      1. Insert sadsack pun here

        Re: coincidentally

        Agreed, and I can't stand the Tories.

        One of Hancock's 316 fellow MPs is one of the 12 officers of a school, and one of the other directors of that school is also one of four directors of a media company (in addition to being an officer of about 20 other companies), and that media company did an app for Hancock...and this shows it's some kind of procurement stitch-up? Tenuous indeed.

  10. Anonymous Coward
    Anonymous Coward

    Theresa May should do an app, then again you wouldn't be able to uninstall it even if it it crashed all the time.

    1. Brewster's Angle Grinder Silver badge
      Coat

      It would never crash though, because it would be strong and stable.

      1. Doctor Syntax Silver badge

        "It would never crash though, because it would be strong and stable."

        But it would have a back door.

  11. Lysenko

    Out of curiosity...

    It has also been pointed out that the developer, Disciple Media Ltd, which pinches off dime-a-dozen apps for anyone who will pay them, does not appear on the data protection registry of the Information Commissioner's Office.

    Why would an app developer necessarily need an ICO registration? Is this a cloudy "App as a Service" thing rather than actual software development?

    1. tiggity Silver badge

      Re: Out of curiosity...

      I'm assuming Disciple Media store lots of backend data (be it directly, or they themselves using cloud providers).

      Though there are lots of loosely worded "get outs" that allow you to not need to register with the ICO, depending what services you provide and how data is processed - people could just use ICOs own "do I need to register" tool and see what hoops to jump through to avoid need to register.

  12. Anonymous Coward
    Anonymous Coward

    Funding

    I wonder who paid for this?

  13. Paul Herber Silver badge

    Everyone needs their half hour of fame, this is Hancock's Half Hour.

    1. frank ly

      From now on, can we call him 'The Lad'?

  14. DontFeedTheTrolls
    Coat

    As appeared in a meme elsewhere:

    The Onion has been forced to wind down operations as they're struggling to make up stories matching real life today.

  15. PJ H
    Childcatcher

    Well I suppose we should be grateful...

    ... that it wasn't Mike Hancock (MP - well at least until 2014.)

  16. Anonymous Coward
    Anonymous Coward

    Amazon

    The app was created using Kotlin.

    It uses Amazon S3 "cloud" storage so you can be assured of security/privacy.

    /sarcasm

  17. anonymous boring coward Silver badge

    So using a task manager, I can now kill Matt Hancock?

    At least one amusing use of the app, I suppose.

  18. Doctor Syntax Silver badge

    "Our registration was renewed recently but this has not been reflected on the ICO registry yet," a spokesperson said.

    Didn't you follow that up with a query to the ICO? Indeed, didn't you ask the ICO about any of the other interesting aspects of the app? Go on, you know you want to.

    Maybe there's also scope for some questions next time it's his turn in the barrel in the HoC. A nice general question about privacy of apps in general followed up by asking how that applies to his own. Are there any MPs with sufficient technical knowledge to make a decent job of it?

  19. Anonymous Coward
    Anonymous Coward

    MPs' Mobile Phone Apps

    Does it display Members of Members ?

  20. Milton

    Please, Boris ...

    I want that fat idiot of a Foreign Secretary to produce his own app (I think Ego-Bloat Marketing Ltd specialise in politicians) just so I can have the long-dreamt-of satisfaction of clicking on the button that says "Delete Boris Johnson Y/N?"

  21. TheMeerkat

    Is he as a Tory just trying to demonstrate how Socialism would look like? I.e. when the politicians representing the State instead of private business would be responsible to decide how to build an app?

  22. Anonymous Coward
    Anonymous Coward

    As my local MP...

    ...He is a complete and utter $%)*&!"

    The classic example of the totally insincere career politician who lives in London, never visits his constituency except for a photo op, hand who has hung onto Osborne's coat tails in the hope of political advancement.

    I cannot think of anyone less likely to be effective in the position he now occupies, except possibly Diane Abbott.

  23. Prst. V.Jeltz Silver badge

    "Other users and news outlets have also reported a bug in the iOS version that seems to allow the app to access to pictures even when permission is denied."

    Whaaat? Aside from this idiot MP making a mockery of our system of government by clearly demonstrating he is driving the bus as efficiently as a muppet baby , the bigger issue for me is:

    How come Apple have delevoped their IOS in such a way thats its up to the programmers of a 3rd party app wether they comply with the answers to the "This app wants to ..." questions? I mean why even have the questions if the results are optional?

  24. Admiral Grace Hopper

    Don't Menschn it

    What is it with MPs and chat-apps? It's almost as though the only technology that they can see a use for is poorly secured message boards.

  25. gypsythief

    other fairly intrusive "deets"

    What the fuck* is a "deet"?

    (Apparently, according to Urban Dictionary, it's a "detail)"

    There's another journalist who writes for The Register who insists on using "peeps".

    For fucks* sake, you're professional journalists, not children. Use proper language.

    *Apologies for the swearing, but this pointless neo-millenial abbreviation drives me up the wall...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like