The Canadian Privacy Commissioner just invited interested parties to file written submissions on privacy issues surrounding cloud computing.  Also for expressions of interest from anyone wanting to take part in a formal panel discussion in June.

Cloud computing - however one defines it - can be a compelling model, as it can provide advantages in cost, simplicity, and scalability.

It can though, pose issues around things like privacy, confidentiality, security of data, business continuity, and disaster recovery.  The importance of those issues varies depending on how the particular cloud product works, what you use it for, and how mission critical it is.

Yesterday I wrote about privacy consultations regarding the online tracking of consumers.  Privacy advocates want to ensure that consumer choice and privacy are respected.   Similarly, pressure is put on ISP’s and search engines to limit the amount of information they retain about their customers, and the length of time they retain it.  All laudable objectives.

On the other hand, law enforcement wants to require ISP’s to retain certain information about sites their customers visit for long periods of time to facilitate criminal investigations. See this CNet article for example.

Seems inconsistent to me.

For the London Free Press – February 8, 2010

Read this on Canoe

Canadians are invited to submit comments

Canada’s Privacy Commissioner, Jennifer Stoddart, recently announced a new consultation with the Canadian public on privacy issues related to the online tracking, profiling and targeting of consumers by marketers and other businesses.

Canadians are invited to submit comments and participate in panel discussions. Details are on the Privacy Commissioner’s website at http://www.priv.gc.ca/.

The commissioner says this consultation will “provide a forum for the exploration of the privacy implications related to this modern industry practice, and the protections that Canadians expect. Our goal, therefore, is to shine a spotlight on this evolving technological trend.”

Online consumer tracking takes several different forms. The most basic level of tracking places cookies on one’s computer to collect data about browsing habits. Global Positioning Systems (GPS) in mobile devices can supply consumer data. Deep packet inspection of Internet traffic is another way to gather data.

Of course, we advertise a vast amount of personal information about ourselves when we join social networking sites. Facebook, MySpace and LinkedIn are prime examples.

What many may not realize is that personal data available about anyone can be gathered from various sources and pieced together to create comprehensive personal profiles which are available for a price. The buyer may use the information to help them market their products to specific consumer groups. It can be a valuable commodity.

It is unlikely that anyone will put a complete stop to online consumer tracking. Some of it offers real benefits to consumers. The key is to attain a balance where privacy is respected without getting in the way of the advantages the technology provides.

Transparency and choice are important components. We should be made aware of what is being collected and why, and be able to choose whether or not the benefits are worth the disclosure.

This consultation is an opportunity for the public to become engaged in a topic that affects us all. Written submissions are being accepted until March 15.

They are also looking for people to take part in formal discussion panels in Toronto in April, and in Montreal in May.

This consultation aims to give the commissioner’s office a “comprehensive view of the privacy risks associated with the online tracking, profiling and targeting of consumers, and contribute to the development of new public education and outreach materials,” it says.

“It will also help shape the office’s input into the next parliamentary review of the private-sector Personal Information Protection and Electronic Documents Act.”

A second consultation will be held later focused on cloud computing, or using software from a remote location rather than having it on your own computer. It, too, is a technology that has compelling advant-ages, but can carry privacy risks and uncertainties.

Fanshawe College is putting on an eMarketing conference March1st entitled “Turning Clicks into Customers“.   The keynote speaker is Mitch Joel, author of  Six Pixels of Separation”.

I’m speaking at a breakout session on “Legal Issues for a Digital World” .

I’ll be commenting on issues including copyright, cloud computing, the Streisand effect, and social media and privacy.   

There are several factors that make digital law different from analogue law.  As I’m putting my presentation together, I’m realizing that the concept of  practical obscurity plays a big role in explaining some of the differences.

Today is international Data Privacy Day.

From the official website:

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information.  In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it  – with whom are they sharing it?  Most of all, individuals are asking ‘How can I protect my information from being misused?’  These are reasonable questions to ask – we should all want to know the answers.

Also see more info on Wikipedia.

The Canadian Privacy Commissioner says: On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.   

Is the headlong rush to install body scanners in airports:

(a) an effective way to stop dangerous weapons getting on aircraft?

(b) a kneejerk reaction to the attempted underwear bombing?

(c) A massive, expensive invasion of privacy with no real benefit?

(d) More security theatre that makes it appear that something is being done, but accomplishes nothing?

(e) Wasting time and resources that could address the issue in more effective ways?

(f) Causing far more harm and inconvenience to air travellers than is justified by the small chance it will make a difference?

(g) Closing the barn door after the cows have all left?

These are questions we should be asking.   Here’s some food for thought:

From David Fraser:

http://www.privacylawyer.ca/blog/2010/01/pantsbomber-revives-debate-over-body.html

http://www.privacylawyer.ca/blog/2010/01/we-need-debate-on-privacy-impact-of.html

http://www.privacylawyer.ca/blog/2010/01/scary-and-funny-undressing-naked-truth.html

http://www.privacylawyer.ca/blog/2010/01/alberta-privacy-commissioner-has-some.html

UPDATE: As I was typing this, David added a good article on this topic on Slaw:  http://www.slaw.ca/2010/01/08/a-real-debate-about-privacy-and-security/

From Bruce Schneier:

http://www.schneier.com/blog/archives/2010/01/nate_silver_on.html

http://www.schneier.com/blog/archives/2010/01/another_contest.html

http://www.schneier.com/blog/archives/2010/01/airport_securit_12.html

3 completely different privacy articles taken together illustrate how privacy is really about informed choices.

First, a Techdirt post by Mike Masnick about a musician from Saskatoon that sought out the Google street view car to get his photo taken to promote his band.   The point is that he wanted the publicity and sought it out.   It was his choice.  That’s unlike the pervasive surveillance culture such as in the UK where one does not have a choice.

Second, Boing Boing’s Cory Doctorow refers to Google CEO Eric Schmidt’s comment that  privacy isn’t important, and Bruce Schneier’s brilliant response to that as follows:

Google CEO Eric Schmidt says privacy isn’t important, and if you want to keep something private, “maybe you shouldn’t be doing it in the first place” (in other words, “innocent people have nothing to hide.”)

Bruce Schneier calls bullshit with eloquence: “For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that — either now or in the uncertain future — patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.”

(There is a T-shirt or poster waiting for a condensed version of that)

Third, the  EFF posts about the good, the bad, and the ugly about Facebook’s new privacy changes.  I know its a pain to have to take the time to deal with it – but we all need to go to our Facebook accounts and change whatever we need to.   Keep in mind that its our choice how much we want others to see, both by our privacy settings, and what we choose to post in the first place.

For The London Free Press – November 30, 2009

Read this on Canoe

TRAVEL: The practical reality is we have no control over these computer searches, so it’s wise to be prepared

Last summer, directives were issued by the U.S. Department of Homeland Security for searches of computers and other electronic devices at U.S. border points.

The stated goal was to combat crime and terrorism while still protecting personal privacy and civil liberties.

The directives allow border agents to search, detain, copy or examine any electronic device capable of storing electronic information for any reason.

As Homeland Security Secretary Janet Napolitano said at the time, “The new directives . . . strike the balance between respecting the civil liberties and privacy of all travellers while ensuring (Department of Homeland Security) can take the lawful actions necessary to secure our borders.”

Where “sensitive” information in involved, including solicitor-client privilege and medical records, border guards are directed to consult with agency counsel or the local U.S. Attorney’s office. But any information outside of this narrow privileged category may be searched.

Whether such searches truly accomplish the goal is questionable. As information freely flows across borders via the Internet, physical searches of computers will be of little use. And laws such as copyright are so fact-dependent, and even pose challenges to courts trying to sort out what is allowable, that it’s not a decision a border agent should make.

The practical reality is that we have no control over these border searches. So the Canadian Bar Association (CBA) has published a list of suggestions for lawyers crossing the border with laptops or electronic devices.

While the association published its work for the legal community, the suggestions are valuable for anyone entering the U.S. with an electronic device containing sensitive or confidential information.

The full text can be found at www.cba.org/CBA/PracticeLink/ TAYP/laptopborderupdate.aspx, but here are some of the most helpful tips:

- Travel with a “bare” computer that contains only the most essential information. Ensure that all work with data is done via a secure virtual private network (VPN). Consider using SaaS (software as a service) programs based on the Internet, rather than your computer’s hard drive.

- Turn off your computer early: At least five minutes before you get to U.S. Customs, make sure your computer is turned off so unencrypted information in your computer’s RAM has adequate time to void itself.

- Back up your data: Self-explanatory.

- Store data on small devices: Smaller devices can be carried more inconspicuously.

- Protect your phone and PDA: Phones now carry a considerable amount of information and needed to be kept as “clean” as possible in case they’re confiscated.

- ‘Clean’ your laptop once it’s returned: This will ensure that no programs or spyware have been installed on your computer.

In summary, the prudent approach for taking a computer into the U.S. is to ensure it contains no confidential, sensitive or privileged information.

Don’t rely on encryption, because the border agent may simply ask for your password.

The better approach is to leave all information on a Canadian server and access it remotely once in the U.S.

England has turned into one of the least privacy friendly governments.   It is a poster child for being overly invasive – with the usual unsupported claims that is is necessary to fight crime – and the position that governments and police forces can be trusted to be discrete and do the right thing.  But of course, when the official culture is one of invasiveness – the ‘right thing’ is a moving target.

Case in point: Boing Boing reports that a UK inquiry claims the police routinely arrest people they haveo intent of charging solely to get their DNA into their database.

That’s the title of my Slaw post for today.  It reads as follows: