Adam
Thanks for perusing this topic....  I believe that there may be a security issue depending upon why the customer chose it.  If they are unaware of the potential advertising of the name, they may choose something which is close to passwords used (yes I know it is poor security but people are people!).  Also, a name which may have rather too much of a personal / indiscreet nature may be chosen.  The ordinary punter who signs up to PN cannot be expected to know the implications of the PN rDNS policy.  Particularly when the default seems, to me and others, to be rather perverse and the opposite of what it should be, and where in many cases the customer will not have been provided with the correct information on which to make a valid judgement.
I really believe that PN should stop trying to defend the indefensible and change the default position to only showing the IP.  Then, if someone wants a memorable web hosting address for their granny, then they can request it!!

Quote from: _Adam_Walker_

Thanks for the feedback on this especially how we provide information about rDNS in relation to your IP. I'm personally not sure how the username being visible to anyone could be a security issue though as nothing can be done with that username without it's associated password. Please let me know if anyone believes differently.

1: What is the overwhelming technical and business incentive for defaulting to something which appears to be annoying and catching out so many people, not just complaining here but in other forums too?
2: Why is it not technically possible to first of all WARN people that this dangerous situation
3: What about when your username is your real name? And that name is unusual and female? Why is NO warning given at any stage - signup or static IP selection - that these details will be made public?
And no, I don't buy the "public rDNS name is the same as having an email address" argument made by tech support. You CHOOSE to give out your email address and a warning is made at signup time.
It does NOT say that this username will be logged on the servers of sites the user visits.
4: Let's say your job is to certify that importers aren't importing endangered species product, and you're sending an email pretending to be someone interested in importing, say, ivory. I don't know about you, but everywhere I've worked, incoming customer emails are logged against a looked-up IP address. If your name is fairly well known as a certifier, then it's going to look a bit odd if Mrs Chen is posting from a totally different account. And so on.
Plusnet have given their final written answer on this, which is that they won't be changing the wording to warn of the rDNS defaults, or changing the defaults.
So, that combined with points 2 and 3 above are the basis on which the ICO believes it was worth starting a complaint.
Of course, we won't know for 3 weeks what they think, but you can bet it will suddenly become technically possible to change the wording on the signup page in that time
(Although, of course, they'll be looking at the wording on the screen caps at the time of the complaint and Plusnet's final answer, not any changes in the meantime).

I think it goes beyond that. I for instance have used my own name as my Plusnet username. I was warned that this would form part of my Plusnet email address but since I don't use that, it wasn't an issue. However, I would argue that my name comes under the category of "personally identifiable" data which Plusnet is supposed to protect under the DPA.

I would further add that with Plusnet fighting so many other fires in respect of poor latency / gateway issues, and rather too many other negative feedback problems in this forum, they might decide to actually agree with the majority of their customers and just change the current default position re rDNS.  A quick and easy win with no losers that I can discern.

Quote from: _Adam_Walker_

Thanks for the feedback on this especially how we provide information about rDNS in relation to your IP. I'm personally not sure how the username being visible to anyone could be a security issue though as nothing can be done with that username without it's associated password. Whilst I'm aware I've mentioned that before, one cannot directly lead to obtaining the other so whilst I appreciate opinions will always differ I don't see the issue. If we were able to provide options for rDNS or handle this differently how would people like to see that done? Adam

Perhaps, just perhaps, "security issue" is the wrong way of looking at it. As you rightly say, the user name is useless without its associated password. However....
People can choose whether or not to give out their @username.plus.net email address, and may choose not to if they don't want to give their identity away to the world. But the minute you choose to have a static IP (for a very reasonable one off £5 I might add (so it's not all bad)) your plastering what is possibly your full name all over the internet.
I signed up originally using my proper name which seemed like the right thing to do, I don't use my PN email address (other than for emails from plusnet (and you guys know my name anyway)) but when I signed up for a static IP, at no point was I warned of what was about to happen! I phoned plusnet and was told it wasn't possible to change this, but, got in touch with one of your technical guys directly who happy changed the rDNS for me to my IP.
It would I feel, be a much better 'default' option to go with the IP address xxx.xxx.xxx.xxx.plus.net rather than the current, username.plus.net configuration.
As for sharing your photo's with Granny, well, that's what DynDNS is for  

Quote from: _Adam_Walker_

I'm personally not sure how the username being visible to anyone could be a security issue though as nothing can be done with that username without it's associated password.

True, but equally nothing can be done with the password without the associated username. Lots of people re-use passwords on multiple sites. Lots of people have had passwords stolen from insecure web sites. The point is that a username and password are the two tokens that someone needs to access an account. My front door has a Yale lock and a Chubb lock. If I give a copy of my Yale key to everyone I meet on the street are you saying the security of my house is not reduced?
And like others, I am using my real name as my username. So my privacy was being breached every time I visited a web site.

Quote from: _Adam_Walker_

If we were able to provide options for rDNS or handle this differently how would people like to see that done?

As BillBS16 suggests: IP-address.plus.net

Just a quick bump to ensure that this thread doesn't disappear into a forum black hole!  Any more input from PN following the further feedback in strong favour of an IP default I wonder?

mod:note
Please do not bump threads as it's against the link:rules, I'm sure the feedback has been taken on board.

I'm not convinced that it has dvorak, as with some other issues in the past in my experience. I am by no means convinced that this has been elevated to senior enough levels, or that they intend to do anything.
@Phileasfrog, the trick about bumping is to do so in a manner that isn't obvious that is what you are doing!

Quote from: racquel

In what way is a clear note that my username will be the same as my email address which I choose to give out or not, "the same principle" as telling every website I visit my plusnet username without any warning? Particularly as this would be a change from one situation to another.

I totally agree with you. Although I don't currently have a static Ip address, I have considered it, and was totally unaware of this issue. I don't give my plusnet email address out to untrusted individuals or organisations, even some family members - teenagers who are free to roam anywhere on the internet and don't seem to be interested in security issues, they get given a gmail address!

Quote from: _Adam_Walker_

......... I'm personally not sure how the username being visible to anyone could be a security issue though as nothing can be done with that ..... Adam

Adam, if you aren't sure or aware, then please refrain from commenting at all, unless it is about the positive steps that Plusnet are taking to change this.

Quote from: racquel

.....Plusnet have given their final written answer on this, which is that they won't be changing the wording to warn of the rDNS defaults, or changing the defaults.

Good luck with your formal complaint and more power to your elbow. You could report this to the ICO without waiting for the formal complaints procedure to complete.

Quote from: rja

..... I would argue that my name comes under the category of "personally identifiable" data which Plusnet is supposed to protect under the DPA.

Quote from: Phileasfrog

I would further add that with Plusnet fighting so many other fires in respect of poor latency / gateway issues, and rather too many other negative feedback problems in this forum, they might decide to actually agree with the majority of their customers and just change the current default position re rDNS.  A quick and easy win with no losers that I can discern.

I totally agree with both those two statements.
So in a few simple words, Plusnet - get your finger out and get this changed.

This really wouldn't be a 'quick and easy' change. We'd need to consider the way DNS works for all static IP address. This includes those who will actually want the DNS showing as it currently does for static IP addresses, so that would involve a notice period and changeover period.

Quote

Plusnet have given their final written answer on this

Have we? I think a quick way of reducing some of the concern would be to get a message put on the Static IP addition page along the lines of 'If you choose a Static IP address, please be aware that the default rDNS (link to rDNS explanation) would be yourusername.plus.com - if you'd like this changing please raise a ticket to our support team'. Thoughts?
This thread has been flagged up internally, however please don't expect instant or even quick fixes to the actual DNS side of things (the text could be done pretty quickly) to this as I'm sure there is a load more backend stuff linked into the DNS system that I haven't thought of.

Chris, that seems a good starting point with the message, i assume this would be simple to do?, this thread has been open 6 weeks ,it seems because the thread was bought back to discussion on the 09.03.13 (previous post to this 08.0213) , PN now think about doing something. Surely PN should have been more pro active over a month ago?
Regards
Mike

I understand that this thread has been open for 6 weeks, but it's worth noting that this has been the default format for our static IP address for many years (at least as long as I've been here), so the number of complaints/concerns raised in that time have been minimal.

But to raise a concern/complain you need to know about this in the first place, as at the moment,and in the past the user is not informed when getting a static ip address,  that the default would be their yourusername.plus.com
Regards
Mike

Although it's been the default for a very long time, probably most customers simply weren't aware of it. And concerns about security and privacy are greater now than they were in the past.
(Edit: Mike beat me to it!)
Appreciate that it's unlikely to be a quick and simple change, and you wouldn't want to go into it without working through all the issues and consequences. But it's good to know that it is getting some attention now. And as Mike says, notifying people on the fixed IP sign-up page would definitely be a very good starting point.
Thanks for the feedback, Chris.