Bloomberg accused of “snooping” on customers for journalistic gain

A bit of a media brouhaha is, er, brewing after a New York Times story late last week claimed that financial media giant Bloomberg had been using its proprietary data terminals to snoop on customers.

Actually, the NYT started out by calling it a “privacy breach on Bloomberg’s data terminals”.

The offence was only upgraded to “snooping” after the weekend, once Bloomberg made a public statement on the issue.

The Bloomberg Terminal is something of an anachronism in these the-web-shall-be-free times.

Although you can use a regular keyboard on a Windows computer to access the service, a dedicated “Bloomberg” keyboard still exists, with numerous extra keys to make it really easy to find stock prices and catch up on breaking news in the financial markets.

Whereas a modern laptop might have special keys to adjust, say, the keyboard backlight (Fn+F5 and Fn+F6 on my Mac, for example), Bloombergs have keys like GOVT, EQUITY and CURRNCY so you can zoom in on specific market sectors in an instant.

As Wikipedia drily notes, “the Bloomberg keyboard is heavier and sturdier than standard keyboards,” and if you’ve ever seen a trader working at a computer, you’ll know why: IT equipment lives a harsh life amid the frenzy of the markets.

But the system is now in the news for all the wrong reasons, following Matthew Winkler’s admission that so-called snooping “is inexcusable.”

Winkler, editor of Bloomberg News, the global news arm of the Bloomberg operation, also wrote:

Now let’s also be clear what our reporters had access to. First, they could see a user’s login history and when a login was created. Second, they could see high-level types of user functions on an aggregated basis, with no ability to look into specific security information. This is akin to being able to see how many times someone used Microsoft Word vs. Excel. And, finally, they could see information about help desk inquiries.

In short, the “snooping” didn’t let Bloombergers look inside the actual transactions that their customers carried out, any more than Google is able to look inside a web transaction you start after finding your way to a site via the Google search engine.

So why is it OK for Google to learn and retain vast tranches of data about what you search for, with an almost surgical precision, provided it doesn’t intercept your subsequent traffic with the sites you find, but not for Bloomberg to do something similar?

One answer, of course, is the expectation of Bloomberg’s customers, and the very purpose of subscribing to a proprietary, closed news system like Bloomberg’s that is specific to an industry sector.

Intriguingly, and rather importantly, the Bloomberg fuss is as much about what you didn’t say or search for as what you did.

The fuss, in fact, isn’t new, with the New York Times recounting how Bloomberg reporters were quickly onto troubled financial services giant JPMorgan Chase last year, after it suffered a vast trading loss, to dig for details about whether the company had sacked any rogue traders.

Bloomberg’s newshounds apparently used the fact that certain traders had suddenly gone silent, no longer logging in and using their terminals in their usual patterns.

→ This approach, relying not on knowing what was said, but that it was said at all, is known as traffic analysis. It is hard to defend against, since in extreme cases (often the most interesting and important to an attacker), you may urgently need to send many more messages than usual, or be unable through circumstances to keep up with usual patterns.

The NYT also quotes a former trader, Michael Driscoll, on the topic of how appropriate it was for Bloomberg to monitor its customers’ online activity:

On Wall Street, anonymity is critically important. Secrecy and the ability to cover one's tracks is paramount.

Thousands of cybercrooks, millions of pirates, and hundreds of millions of law-abiding internet citizens would probably agree with this sentiment (though they might often wish for a bit less secrecy and covering-of-tracks by Wall Street).

But the 2010s are an era in which we seem to be under increasing pressure to give up much of our anonymity and secrecy online, for a few very good but very many bad reasons.

Ironically, Bloomberg is now in hot water for just the sort of tracking that online web services do all the time.

Who searched for what, and when? What did they do last time they were here?

How long have they been away? What will they want to buy now they’re back?

Would now be a good time to email them?

Limiting just how much any major website learns about you across multiple visits can be tricky, but if you’re looking for some quick wins, try these:

  • Use your browser’s Clear History option regularly. This dumps the cookies and other locally-stored data that your browser remembers about you and sends back to your favourite websites every time you return.
  • Use Private Browsing as much as you can. It doesn’t stop websites tracking you when you’re logged in, but it provides a convenient way of auto-cleansing your browsing history afterwards, in case you forget.
  • Don’t stay logged in to sites all day long. It’s a lot less convenient to have to log back into Facebook every time you want to “Like” something, but it’ll prevent you giving out information to the wrong person by accident or through trickery.

We’re working as we speak on a digestible, educational and not-too-technical paper about how to keep cookies and locally-stored browser data under control: if you want to learn more about this much-misunderstood topic, watch this space!