ZDNet has an article entitled By the numbers: A dismal year for data breaches that says there were over 100 million data records lost. It says there were 327 data breach events in 2006 – up from 136 in 2005.

So what is the reason behind this?

Is more info being kept just because its easy to do, leading to a higher risk of loss?

Are businesses and institutions not keeping up with security requirements?

Many are due to internal problems – but are those that get them from the outside becoming more sophisticated?

Is the problem the same as it always was – but we are just seeing more reporting and disclosure?

Read the ZDNet article

Michael Geist has published his annual A to Z year in review article entitled The Letters of the Law: The Year in Canadian Tech Law.

Its worth a read. As Michael says, it has been a remarkably busy twelve months.

Read Michael’s article

David Canton – for the London Free Press – December 16, 2006

Read this on Canoe

Two recently released privacy surveys have proven flattering to Canada when ranking countries by privacy protection.

The first, released Nov. 2 by British-based watchdog group Privacy International, ranks 36 countries. Included were all 25 EU members as well as countries such as Canada, the U.S., Russia and China.

Canada and Germany were the only two countries to be given the status of having “significant [privacy] protections and safeguards.” On the other end of the spectrum, the United Kingdom, Singapore, Russia, Malaysia, and China were designated as “endemic surveillance societies.”

It’s ironic some countries that have stressed their devotion to personal “freedom” have fared so poorly when it comes to privacy protection. In terms of statutory protections and privacy enforcement, the U.S. ranks the lowest amongst democratic countries surveyed. Argen-tina, on the other hand, outranked 20 EU countries.

Privacy International director Simon Davies stated: “Argentina, Canada and Germany should be applauded for their efforts to protect privacy. Australia, Britain and the United States have not only performed abysmally, but they are embracing surveillance at an alarming speed.”

The second survey was undertaken by the Queen’s University-based Surveillance Project, a multidisciplinary research group. This survey compared the privacy attitudes of 9,000 people from Canada, the U.S., China, France, Spain, Hungary, Mexico and Brazil.

A majority of respondents found current surveillance laws too intrusive. This included, for example, 57 per cent of Americans, 53 per cent of Spaniards and 48 per cent of Canadians.

There was also an overall rejection of the idea that additional security screening should be given to visible minorities at airports. Approximately 60 per cent of Chinese, Hungarians, Brazilians and Canadians were against such procedures. Interestingly, only a third of Americans disagreed with those measures.

One area where Americans and Canadians held similar viewpoints was in their limited support for national ID cards. Whereas 78 per cent of French residents surveyed supported such identification, only 42 per cent of Americans and 53 per cent of Canadians did. As the project’s lead investigator, Professor Elia Zureik, said, “Europeans have more faith and trust in the government to regulate information.”

Compared with people from other countries surveyed, Canadians were among the most knowledgeable about the internet and privacy laws. They were also found to be very protective of their personal information and, accordingly, were among the most worried about providing it over the Internet.

In an interview, Bill Gates comments that DRM causes huge problems and “too much pain for legitmate buyers.”

Couple that with a Techdirt article about eMusic being very successful selling music without DRM.

So forget DRM – or at least find a way to make it work in a way that does not cause the pain.

Read a Boing Boing comment on Bill Gates’ comment

Read the Techdirt post

Wired News has a good article that looked at MySpace passwords (the author got them from a phishing attack that resulted in their publication), and compared them to workplace passwords. He found that on average they were more effective than the ones most people use at work.

In the end, however, the author states: None of this changes the reality that passwords have outlived their usefulness as a serious security device. Over the years, password crackers have been getting faster and faster.

I agree that passwords are an ineffective security device. Most people don’t use effective passwords for the practical reason that they are too complex to remember, especially when we need them for so many things.

I am optimistic (delusional??) that eventually an effective biometric authentication method will be developed. That concept has its own challenges. For example, biometric “signatures” can’t be stored just like a password, as there would be no way to change it if it was compromised.

Read the Wired article

David Fraser points out in his Canadian Privacy Law Blog how important it is to keep only the information you actually need. The context is a UCLA breach that exposed information of people that they probably should not have retained.

Keeping too much information for too long is a chronic privacy problem. David makes a great comparison to the dangers of underground oil tanks that is worth a read.

Read David’s post

Today’s press talks about the Canadian Federal government’s decision to require the CRTC to deregulate local phone service in areas where there are 3 alternate providers.

The phone companies are pleased. Some think this will be good for consumers as it may lead to more competition and reduced prices.

Critics are concerned that the existing telcos wil undercut the competition, so in the end we will be left with no competition and higher prices.

Only time will tell – it will be interesting to follow this as it unfolds.

My personal observations are that while the cable companies have phone service, they are not competing on price. When you add up the prices of similar service from the phone company and the cable company, they are remarkably close. Strikes me that the cable cos see the telcos as their competition, not the independent Voip providers.

So at the moment we seem to have similar priced, similar quality services from the telcos and cable cos, with pure Voip plays coming in much cheaper and more flexible, but often with call quality issues.

Which leads to the network neutrality issue. Will this mean that it becomes even more tempting for any ISP that offers broadband service (ie the telcos and cable cos) to tinker with the quality of third party Voip?

Read an ITBusiness.ca article about the announcement

David Canton – For the London Free Press – December 9, 2006

Read this on Canoe

A U.S. judge has turned to Webster’s Dictionary, testimony from chefs, and U.S. Department of Agriculture representatives to assist in his ruling that a burrito is not a sandwich.

The distinction may seem trivial, but was crucial in a recent commercial leasing case and the same issue can arise in many contexts, such as trademarks, non-competition clauses, exclusivity clauses and reseller agreements.

It shows it is important to think descriptions through carefully whenever it is necessary to describe wares and services.

A chain of bakery-cafe restaurants, Panera Bread Co., was trying to keep a Mexican restaurant chain, Qdoba Mexican Grill, out of shopping malls where Panera already had a restaurant. Panera brought a lawsuit against the shopping mall in an attempt to prevent them from leasing space to Qdoba.

Panera relied on an exclusivity clause in their lease prohibiting the mall from leasing to any restaurant or bakery that obtained more than 10 per cent of its sales from sandwiches. Mall representatives retorted that Qdoba was not in the business of selling sandwiches, but rather burritos, tacos, nachos and enchiladas.

The mall recruited food experts who testified that a sandwich is of European roots and generally uses two pieces of leavened bread, while a burrito is specific to Mexico “and typically contains hot ingredients rolled into a flat unleavened tortilla.”

The shopping mall also relied on the testimony of a representative from the U.S. Department of Agriculture who stated the department views a sandwich as a separate and distinct food product from a burrito or taco.

Panera on the other hand argued for a broad definition of sandwich stating “a flour tortilla qualifies as bread and a food product with bread and a filling is a sandwich.”

In the end, the judge found that a sandwich was “two thin pieces of bread, usually buttered, with a thin layer (as of meat, cheese, or savory mixture) spread between them.”

The ruled stated that “under this definition and as dictated by common sense, this court finds that the term ’sandwich’ is not commonly understood to include burritos, tacos and quesadillas, which are typically made with a single tortilla and stuffed with a choice filling of meat, rice and beans.” It stated there was no reason why the Qdoba Mexican Grill could not lease space in the mall.

The City of London got hit with a big dump of snow over night – about 50 cm (that’s about 20 inches for the metric challenged). Things are pretty much at a standstill now.

Some places in the city have more like 3 feet of snow. But just to the west of the city limits, there was only 2 inches of snow.

This photo was taken from our front entrance this morning – the foreground is the sidewalk covered in a couple of feet of snow.

Michael Geist comments on the recently issued fact sheet of the Canadian Privacy Commissioner of DRM / TPM. And yes, there is a difference between DRM (digital rights management), and TPM (technological protection measures), but the high level philosophy is the same for both.

The fact sheet does a good job of summarizing the privacy concerns about DRM/TPM, and refers to the Sony rootkit as an example.

Read Michael’s comment

Look at the fact sheet