Privacy breaching in bank and health websites in Portugal

Technical Report
InterProlog Consulting, August 1, 2019

As one navigates the web, the use of cookies and some privacy breaching are expected, in the sense that browser cookies from Facebook and other parties make our navigation known for marketing purposes. As we navigate “anonymously” through several websites, cookies link us to our non anonymous selves – such as a Facebook or Google account and its extensive profile.

But after authenticating into a web site for a company (due to be) complying to banking, health or just vanilla GPDR regulations, and entering into an HTTPS (encrypted, private) session… one would expect privacy to be respected!

Alas… that is NOT the case in Portugal. Some banks and health service companies disregard the above principles, incurring into blatant ethical and (likely) legal violations, and let third parties with a vested interest (Facebook, and others) know all about our “private” navigation, in exchange for what…? We still don’t know, but read on:

MillenniumBCP – bank

UPDATE: as of October 2, 2019, and following a complaint to Bank of Portugal, the national regulator authority, MillenniumBCP no longer sends the HTTP requests to Facebook if the cookie consent form is responded to accordingly. But it still does… to Google.

As one arrives to its website, MillenniumBCP (one of the 3 largest Portuguese banks) presents a cookie consent form:

We filled it with default values, disallowing “re-marketing”; even so, plenty of HTTP requests to Facebook are made prior and after authentication, evidently notifying Facebook of all “private” page navigation within the customer banking interface:

For example, Facebook knows whether one navigates to “My portfolio” (“As minhas poupanças”) or “Make a transfer” pages, therefore getting very precise private behaviour information.

So Facebook knows that you have an account in MillenniumBCP, which seem to violate Portuguese and European secrecy laws.

The above evidence was collected simply with Firefox’s network monitoring tool; more here (HTTP Archive Format obtained with Charles HTTP proxy).

Santander – bank

Santander is another of the 3 largest Portuguese banks. In addition to Facebook, Santander’s “private” customer banking website emits extensive HTTP messages also to Google Analytics and byside.com:

So Facebook knows that you have an account in Santander, which seems to violate Portuguese and European secrecy laws.

Other banks

BPI and CGD, two of the other largest Portuguese banks, do NOT incur in such practices as far as we could detect.

MyCUF – health services

CUF (Melo Group) is one of the largest private Portuguese companies in the health sector. Its “private” customer website notifies Facebook of all navigation within it:

So Facebook knows that you have an account with CUF, and very likely are a patient; we have not investigated whether navigation to past appointments/exames/etc. are detectable by Facebook.

Conclusion

A superficial assessment suggests that

  • Management of the above entities is not sensitive to privacy issues, and is squeezing customers’ value beyond what’s reasonable
  • The underlying technical staff ignores the consequences of its actions

Major ethics deficit all around. To be continued…

LPS demo site now available

The Logic Production Systems demonstration website is online at https://demo.logicalcontracts.com, after we developed it for the Imperial College, London.

The result of over a decade of research by the inventor of Computational Logic, Bob Kowalski, with Fariba Sadri, LPS is a new logic based attempt at unifying imperative and declarative programming languages. Follow the “with LPS” link for the open source repository and further information.

GAMEON 2016

Today Miguel Calejo participated with Luis Moniz Pereira in the keynote presentation “Games with Morality” at GAMEON’2016, the European Simulation and AI in Games Conference. The machine ethics technology discussed has potential application to autonomous vehicles in general and a number of areas where intelligent agents require… morality.gameon

The complete (183Mb) keynote slides are here. Luis’s personal page, with links to the literature and other demos, is here.

Miguel’s smallest segment covering the items below is here.

The keynote included two system demonstrations, which you can try yourself by installing the following software. Java is a prerequisite for both. It should work on Mac, Windows and Linux:

QUALM demo

This showed QUALM running under InterProlog Studio.

  • More information and instructions here.

Greenfoot + LPS demo

A Java Greenfoot “scenario”, LPSEntitiesWorld, providing the user interface for several LPS programs simulating moral puzzles.lpsentitiesworld

To install and run it:

  • Install Greenfoot
  • Install LPS, more information here .
    • That includes XSB Prolog, LPS and Studio (for its Java/LPS API, used by the Greenfoot scenario).
    • Try Studio and an LPS example: menu Help / Open LPS Example, and then in the editor window do File/Load; you should get a timeline display on a browser window
  • Extract the LPSEntitiesWorld zip file into a new directory; this will be your Greenfoot scenario/project
  • Greenfoot scenario configuration
    • Launch the Greenfoot app and open the scenario; edit the LPSWorld.java file to set the variables XSB and LPS to your XSB and LPS system directories respectively; if you ran Studio, these paths can be found near InterPrologStudio.jar inside the text file .ergosuite.prefs
    • Open the Greenfoot Preferences, Libraries tab; add the location of interPrologStudio.jar to the User libraries list
  • Right-click on the LPSWorld class and invoke the chooseScenario method; pick a moral puzzle scenario when asked. Hit the Run button.
    • At the bottom right there will be an indication of success
    • Right-click the LPSWorld class again and invoke the runWithoutLastKills method; this will repeat the simulation counterfactually (by retracting dead people beforehand), and will report whether or not those deaths are morally admissible, as per DDE.

Miguel Calejo’s smaller slide deck “Games with morality: some practical aspects” is here.

Studio now supports LPS

“Logic-based Production Systems” is a new computer language that combines the characteristics of an imperative programming language with those of a declarative database and knowledge representation language. It is useful for game AI programming, event stream handling, teleoreactive programming, and a lot more.

LPS is the result of over a decade of research by a world class team, and its first open source implementation has been made available; more details at https://bitbucket.org/lpsmasters/lps_corner.

Studio now includes specific support for LPS:

  • easy install
  • examples menu
  • semantic editor warnings
  • display event/action timelines

More details in Download and Install.

LPS_editor  LPS_timeline

Watson:-)

Having a good time at the AI Summit in London, but getting lots of hype – including, naturally, IBM Watson’s.

Let me reflect some of that hype here: our open source Java-Prolog bridge was part of Watson’s development! Just a bit of plumbing to connect the Prolog logic reasoner to the natural language processor, but we’re there:-) cf. description of Watson architecture by an academic project member.

Welcoming “Programming Machine Ethics”

“No morality without qualm“, hence the name for a new logic reasoner developed by the New University of Lisbon, which adds tabled abduction, updating and counterfactuals to XSB Prolog. QUALM is an experimental open source project living at github

Having followed the many years of computational moral and ethics research behind the new book “Programming Machine Ethics” by Pereira and Saptawijaya, coming out this week at Springer… we’re delighted to serve Studio enriched with support for QUALM – the main logic programming reasoner featured in the book.

Prolog Studio features for QUALM:

  • easy install
  • examples menu
  • semantic editor warnings
  • source call tree and graph

More details in Download and Install.

QUALM_screenshot

History

It’s been a while, but finally InterProlog is back… pulling forward into open source other related work that has been brewing over the last couple of years, namely Prolog Studio.

The last (maintenance) release at Declarativa was over 4 years ago, and a lot happened since then: I joined the SILK project in late 2011, which was good for the system, until Vulcan canned it  in early 2013; and at about the same time Declarativa’s web dev business had to shut down, at the peak of Portugal’s financial crisis… thus freeing yours truly for sexier stuff;-) Shortly after I co-founded Coherent Knowledge Systems; and this Summer, a year later, I left it  to pursue other interests – such as all things Java+Prolog related, logic for your app as the above headline goes.

SILK brought the old  Java-Prolog bridge into better shape – robustness, performance, flexibility; Coherent motivated my creation of Ergo Studio, of which Prolog Studio is the subset released here today. Along the way, another piece of code was upgraded and integrated into Studio: XJ, a little known (and still under documented, but stay tuned…) Swing declarative UI generator for Prolog that the good folks at XSB, Inc. released into open source too.

Logic programming is a unique secret sauce suffering from an historical fact: with a few exceptions, its master chefs have not cared to open that many restaurants! So there is a need to collect decades of juicy Prolog and related techniques and tools into edible form, for those developing apps for the real world. Prolog Studio and the Java-Prolog bridge are just first steps.

I’m pleased that all these dots have finally connected into this web site and the tools now prereleased for your enjoyment; more to come, pending your feedback.

Looking forward to comments and suggestions!

Miguel