That’s the title of my Slaw post from today.  It reads as follows:

Most of us realize that merely deleting a file doesn’t really remove it from the hard drive or other storage media it resides on.  (For some background on this issue see a post I wrote a while back.)

Given how we use digital devices today – both for work and personal use – we can’t just abandon this issue to our firm IT staff.  Our personal computers at home, our phones, copiers, memory sticks and ipads all probably contain our own personal information, or personal or confidential information of others.  We need to manage that not only while we use those tools – but when we dispose of them as well.   Pulverizing them into dust – aka destruction to the smithereens level – is not always an option.

This Microsoft article is worth a read, as it explains the issue, has some suggestions to reduce the risks, and links to some disk erasing tools.

Mathew Ingram wrote an interesting piece on Gigaom entitled Privacy is Hard Because People Change Their Minds. 

From the article:

“Why is privacy so hard? Sociologist Danah Boyd, who specializes in the way people use social networks, says in the latest issue of MIT’s Technology Review magazine that it’s because “the way privacy is encoded into software doesn’t match the way we handle it in real life.””

The article talks about “civil inattention”, which is roughly the personal equivalent of “practical obscurity“.   It means that when we are having a conversation in a public place, “people will politely ignore us, and even if they listen they won’t join in, because doing so violates social norms.”

The article goes on to say:

In other words, we all view privacy differently based on the situation we’re in, the other people around us and our relationships with them, our goals and desires within that particular situation, and so on. These things combine to create a complex web of competing pressures and incentives related to whether we keep something private or not: a web so complex that it makes a mockery of the various tools that most services such as Facebook use to help you manage your privacy.

Thus one of the reasons privacy is so complex is that it combines technical, business, cultural, educational, and behavioral issues.

As another illustration of complexity – and how privacy is about personal viewpoints and choice - take a look at this NY Times article entitled Technology Aside, Most People Still Decline to Be Located.  Location based services are all the rage now - such as Foursquare, and the recent Facebook controversy.  It talks about how many people are reluctant to share where they are – even if they are willing to share other information.

For the London Free Press – August 30, 2010

Read this on Canoe

The open data movement – the concept that certain data should be made available to everyone to use without restriction- is growing steadily in popularity.

An example of open data use is the eatsure.ca London restaurant inspection score site using data from the health unit. Another is the Next Stop mobile app that shows the actual location of London transit buses using data from London Transit.

The concept applies mainly to data held by government and public corporations. They have information from which the public can benefit and it allows individuals to use and present that data in ways that the owner of the data may not have the time or inclination to do.

It is similar to the concept of transparency, which upholds that government and business should be accountable to their stakeholders.

While the concept of transparency and open data are laudable, all types of information should not be freely available.

Privacy obligations prohibit personal information from being disclosed. And there are other things that, for various reasons, ought to be confidential.

Some information needs to be kept confidential for competitive reasons, and to facilitate frank and open internal discussion on various matters.

For example, negotiations or bids for a contract could get derailed if the details were disclosed.

Open data means we can’t rely on practical obscurity to filter things that are theoretically public, but in practice are quasi-private because it is not easy to access. Court files and property assessment information, for instance, are public, but it takes time and effort to get to them, thus in practice, limiting access somewhat. Attempts to put them online have resulted in privacy and security concerns.

Open data does not apply to information about individuals. The decision to reveal personal information is, for the most part, the decision of that individual.

Except where freedom of information legislation requires disclosure, individuals and organizations still are at liberty to make their own decisions about what information to disclose.

Open data is a good concept, and will result in information being used in new and useful ways.

The concept, however, is a movement, not an obligation. Those opening up data need to think about what information ought to be disclosed, and what limits are needed to protect personal, confidential and sensitive information.

Public transit locations, restaurant inspection data, and information about the status of public facilities are easy to justify making open. Each type of data needs some critical thought to ensure opening it is appropriate and does not violate legal or contractual obligations.

David Fraser points out that the year Facebook said it needed to address privacy issues raised by the Canadian Privacy Commissioner is over, and there is speculation that the Commissioner may not be satisfied.

It will indeed be interesting to see how this shakes out.

Frankly, the things that Facebook does from time to time suggests that Facebook / Zuckerberg either doesn’t understand or doesn’t care about privacy. 

Privacy issues can be complex and controversial – but the basic concepts of personal choice, transparency as to what is being done with one’s info and how to control that in a simple manner, and opt-in to new privacy sensitive features – should be easy to get.

For the London Free Press – August 9, 2010

Read this on Canoe

Case involves actions undertaken by insurer State Farm on behalf of a client

The Federal Court of Canada recently released an important decision on the parameters of “commercial activity” under the Personal Information Protection and Electronic Documents Act (PIPEDA): State Farm v Privacy Commissioner.

The act is a Canadian law relating to data privacy. It governs how private-sector organizations collect, use and disclose personal information in the course of commercial business.

The act defines commercial activity as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

In State Farm v Privacy Commissioner, the State Farm Mutual Automobile Insurance Co. questioned the privacy commissioner’s jurisdiction to investigate a refusal to provide access to personal information and her power to compel the production of documents during the course of an investigation.

Specifically, it dealt with a situation where State Farm retained a private investigator on behalf of an insured person who had been sued by a motor-vehicle accident plaintiff. The private investigator conducted video surveillance on the plaintiff. The plaintiff sought access to the surveillance footage under the act.

The court concluded it would not be commercial activity for a defendant, herself, to collect evidence for the defence of a tort claim. There is no “commercial character” associated with that particular activity. The court then concluded that, because the primary characterization of the activity is not commercial, using a third party (such as an insurer, a law firm or a private investigator) to carry it out does not render it commercial.

“I conclude that, on a proper construction of PIPEDA, if the primary activity or conduct at hand – in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action — is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf. The primary characterization of the activity or conduct in issue is the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA, not the incidental relationship between the one who seeks to carry out the activity or conduct and third parties.”

In this case, the insurer-insured and attorney-client relationships are simply incidental to the primary non-commercial activity or conduct at issue, namely the collection of evidence by the defendant . . . in order to defend herself in the civil tort action brought against her.

In other words, the decision essentially says that if the act does not apply to something that X does, the fact that X hires someone else to do it (which is a commercial activity) does not turn that something into commercial activity for X, and thus does not make it subject to the Personal Information Protection and Electronic Documents Act.

We all backup our data on computers, smartphones, and wherever else it is held.  That’s a good thing – but an article on the StorefrontBacktalk blog entitled  Are Data Backups Unintentionally Expanding Your PCI Scope? talks about how payment card data can seep into places you don’t want it to, which is then in turn backed up.  While the article focuses on payment cards, the issue could apply to any data. 

The entire article is worth a read – whether you deal with credit and debit card information or not - but to get a flavour:

And another post on the same blog entitled iPhone Payment Peril: Mobile Mayhem Omen?  starts by saying:

That’s the title of my Slaw post for today.  It reads as follows.

There has been a lot of press over the latest countries that don’t want Blackberries in their country unless they can get access to monitor user communications.  See, for example, the Washington Post, Techdirt, Engadget.

RIM designed Blackberry communications so they would be secure, in a way that RIM itself can’t even access them.  That’s a great feature that makes privacy advocates, corporate users, and individual users very happy. 

But it also makes some governments very unhappy – particularly those who believe they need to spy on communications.   Some to the extent that they threaten to ban use in their countries unless they get the access they want.   Those countries feel the need to monitor for illegal activity, or for anti-government sentiment that we in North America would consider basic free speech.   And the threat to ban irks governments like the US, because it affects US government officials and users that travel to those countries, and offends their views of free speech and individual empowerment.  The attitude of most of us in North America is that those governments should just lighten up and stop trying to suppress or control the thoughts and activities of people.

But we can’t forget that this is all a matter of degree.   US and Canada ”lawful access” advocates want ways for law enforcement to access electronic communications to fight criminals and terrorists, and have similar concerns about encryption that modern communications technology provides.  Law enforcement has always been able to do things like wiretaps with judicial oversight that requires some standard of reasonable cause before it happens.  (Although one is often suspicious about what wholesale monitoring is done at the national security level of things.)

We need to think these things through very carefully in terms of what access is truly needed and effective to fight crime, and what is merely security theatre.  Also what kind of rules, oversight, checks, and balances must go along with law enforcement access in order to balance that against rights to privacy and confidentiality.

I tweeted this yesterday, but thought it merited more comment.  According to an article in the Washington Post:

“Betty “B.J.” Ostergren wanted to persuade Virginia to take sensitive personal data off state Web sites. To make her point, she created her own site and then posted public records that included the Social Security numbers of government officials.

For the London Free Press – July 26, 2010

Read this on Canoe

Customers and regulators take a dim view of companies that don’t safeguard private information

Twitter recently agreed to settle the Federal Trade Commission’s charges that it deceived consumers and put their information at risk through inappropriate and inadequate privacy measures. The charges were that Twitter represented it keeps user information safe, but its actual security measures were not adequate to do that.

On two separate occasions hackers gained unauthorized administrative control of Twitter and access to non-public tweets and user information.

In the first security breach, a hacker used an automated password-guessing tool to access Twitter’s administrative account.

In the second breach, a Twitter employee’s e-mail account was compromised and his or her administrative password inferred from other passwords stored in the e-mail account.

If this had occurred in Canada, it would be regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). The United States does not have equivalent privacy legislation.

The FTC approach in these situations is to charge the company with misleading advertising for not living up to its privacy policy.

The FTC charged Twitter with making representations regarding its privacy and security measures which were false and deceptive in violation of Section 5(a) of the Federal Trade Commission Act.

The terms of settlement include the following.

Twitter is barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of non-public consumer information.

This appears to be little more than a restatement of Section 5(a) of the Federal Trade Commission Act. However, including this in the terms of settlement provides the Federal Trade Commission with more tools for punishment in the event of a violation.

Twitter may be fined $16,000 per violation of the settlement agreement for the life of the agreement.

Twitter must establish a comprehensive information security program. The program is to include detailed risk assessment and safeguards based on that risk assessment.

The safeguards must be regularly tested and re-assessed as its operations and business change.

The security program will be assessed by an independent security auditor every other year for the next 10 years. Those reports must be provided to the FTC.

Twitter also must maintain certain records for the FTC, including any statements it makes regarding security and privacy, customer complaints relating to the FTC complaint and its responses, and any documents that suggest non-compliance with the settlement.

Whether it is the FTC taking action on misleading advertising grounds, the Canadian Privacy Commissioner taking action under PIPEDA, or simply customers becoming upset at security breaches, businesses can’t afford security and privacy breaches.

The lesson is, it’s far better to consider and deal with security and privacy issues on your own at the outset, then to have problems and face the wrath of regulators and customers alike.

For the London Free Press – July 12, 2010

Read this on Canoe

So-called ‘cloud computing’ can be valuable — but it can also come with risks

Cloud computing – essentially providing computer services over the Internet – is a growing trend.

Ontario’s privacy commissioner recently released a report dealing with privacy issues that arise from the cloud.

There are many definitions and debates over just what cloud computing is, but it entails storing your information and/or running software on computers belonging to others that you access over the Internet.

For example, instead of creating this column using word-processing software installed on a computer in my office and saving it here, it could be created and stored in the cloud from any computer using services such as Google Docs, or Microsoft Office Web apps.

It is a compelling model, as it can provide advantages in cost, simplicity, portability and scalability.

It can, though, pose issues around things like privacy, confidentiality, security, business continuity and disaster recovery. The importance of those issues vary depending on how the particular cloud product works, what it’s used it for, and how mission critical it is.

The privacy commissioner’s discussion paper – Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach – discusses relevant privacy issues.

The report discusses a variety of different models included in the term “cloud.”

The report sheds light on which types of risks are associated with different types of “clouds,” some of which are riskier than others from a privacy and security standpoint.

The decision to use cloud computing is one each individual or business must make bearing in mind the type and sensitivity of their information, how valuable that information might be and whether local copies can be saved.

Since the loss or compromise of sensitive data can be incredibly damaging to an organization, careful consideration is required.

It’s important for organizations to take time to review what type of cloud model they intend to use, and whether it’s adequate from various perspectives, including operational, cost, access and privacy.

The type of data stored by an organization may change over time. Organizations evolve and sensitivities change. Re-evaluation of an organization’s cloud model at regular intervals, or when major projects occur, will help ensure data is kept in an appropriate manner.

The bottom line is that it’s important for anyone using cloud-based services to understand how that particular service operates and what promises it makes concerning privacy, security and continuity of data. The importance of those factors will vary depending on the nature of the information involved, and how critical the service is to the user.

If it is not adequate, either negotiate to make it adequate, or go somewhere else.

This report, and a previous white paper entitled Privacy in the Clouds (both available on the web at ipc.on.ca) are helpful for potential users to understand and deal with privacy issues that arise from the cloud.

They are also useful to help anyone providing cloud-based services deal with privacy issues for their services.

Ideally, providers will design their services to be privacy-friendly from the outset – an approach the commissioner calls “privacy by design.”