There is secure, then there is secure

Posted on May 22, 2013 by David Canton

This ars technica article points out that Microsoft scans Skype message contents for signs of fraud, which means that Microsoft can read them. While Skype messages may be encrypted to prevent third parties from reading them, that apparently does not apply to Microsoft.

This is not just a Microsoft issue. Other providers of communication and data storage may also be able to do that for certain services (Facebook, Google). A close read of various service provider terms of use and privacy policies show they have the option to review data. It is usually intended as a way to control things like spam and fraud or violations of acceptable use policies.

Users will have to decide if they require true end to end encryption where the service provider can’t access data at all, or whether they can accept service provider access and rely on contractual promises on what the service provider will do with that. The answer may vary depending on the sensitivity of the information being stored or communicated by the service, or legal or contractual obligations one has regarding the information.

Gadgets encroach on privacy

Posted on April 8, 2013 by David Canton

For the London Free Press – April 8, 2013 – Read this at lfpress.com

Machines that become self-aware and rebel against their human creators is a popular science fiction theme. A threat more immediate than Terminator’s Skynet or BSG’s rebelling “toasters” is that of our belongings spying on us.

As technology becomes more sophisticated, it enables more intrusion into individual privacy. Our belongings increasingly generate information about us, and the Internet will make more of our belongings — such as our homes and appliances — connected and able to share that information.

The use of data tracking and collecting by cars and smartphones are good examples.

Our smartphones and the applications we use every day are collecting more and more information about us. The inclusion of “black boxes” in cars also allows this same intrusion.

Many of us have smartphones. This new terminology provides an accurate description of how powerful these devices have become. Most people are focused, and understandably excited, about the capabilities they have provided. But there is a less of a focus on the sheer amount of personal information they can provide to various third parties and what potential impact this could have in the future.

The average smartphone user would likely use their phone for e-mail, Facebook, Twitter, GPS and even personal banking. With simple access to a person’s phone, organizations would be able to obtain almost a complete profile of a person and have access to all of their personal data. Modern smartphones contain little in terms of disclosing who and where this information is held and what steps are being taken to protect it.

Personal data collection has also increased considerably in cars. Though the concept of a talking car in Knight Rider seemed to be a ridiculous idea when the show first aired, we are closer to that day than ever.

For example, some car insurance companies offer discounts to people who provide them with black-box information about their cars, such as where and when they drive and how fast they drive. Though this information can be useful assisting insurance adjusters and the police to determine liability in the event of a crash, this also can be viewed as extremely intrusive.

This is not meant to suggest technological developments should be stopped, but there does need to be a real effort to think things through. What information is collected? Is that information really needed? Is it stored on the device or somewhere else? For how long is it stored? Who has access to it? For what purpose can they use it? If others have access, is it made anonymous or tied to an individual? What choices do we as individuals have over this information?

Do we feel comfortable with cellphone providers, car manufacturers, insurance companies and police knowing our every move?

How the dissemination of this information will be controlled by the courts and balanced with individual rights will develop over time. The Ontario Court of Appeal recently held that police can access, without a warrant, a phone of a person being arrested that does not contain a passcode.

On the other hand, the Supreme Court of Canada recently ruled a wiretap warrant is needed for police to obtain access to text messages in the possession of a cell company.

Some argue this collection and sharing of information should be OK for those who have “nothing to hide”, but it is a much more complex matter than that.

www.harrisonpensa.com/lawyers/david-canton

Privacy breaches often caused by simple things

Posted on August 8, 2012 by David Canton

Today’s Slaw post:

Privacy breaches are often caused by simple things that should be easy to avoid. Take, for instance, the Elections Ontario lost USB keys. The Ontario Privacy Commissioner’s recent news release points to “systemic failures“, and failure to build privacy into their routine information management practices. The details point to a series of simple failures, including failure to follow a policy that required encryption, a lack of understanding of front line staff of how to encrypt or what that meant, and a continuation of the same practices after the loss. The Commissioner recomended that Elections Ontario retain a third party privacy auditor to look at their policies and procedures, develop a staff training program, and create accountability through a Privacy Officer.

Privacy is something that we all have to take some ownership of. Lost or stolen media is a common problem. Take, for example, this excerpt from a recent neighbourhood watch report about several cars being broken into where stolenitems included “Oakley sunglasses, Maui Jim sunglasses, an ipod, gps, … various other items including a external hard drive with important business info on it.” It would seem to be an easy matter to just not leave anything visible in your car – and to never leave hard drives or other devices in a car even if they are hidden. But nobody thinks it will happen to them.

http://harrisonpensa.com/lawyers/david-canton/

Elections Ontario Privacy Breach

Posted on July 18, 2012 by David Canton

Today’s Slaw post:

Elections Ontario has just disclosed that they lost USB drives containing personal information on as many as 2.4 million voters. The USB drives were supposed to be password-protected, encoded and kept in a locked area accessible only to specific staffers – but were not. The Ontario Privacy Commissioner, Ann Cavoukian, is investigating. Her initial comment:

I am deeply disturbed that a breach of this extent, the largest in Ontario history, involving millions of individuals, could happen at Elections Ontario — the agency charged with protecting the integrity of our electoral process. . .

It is my expectation that personally identifiable information will not be stored on USB keys, laptops or other mobile devices — full stop. That is the message I have repeatedly given over the years.

This reminds us that:

A significant proportion of privacy breaches are caused by internal issues – not external hackers or thieves.
Any device small enough to be carried or lost is a prime candidate for data loss. Avoid keeping personal or sensitive information on them whenever possible, and if you must do it, make sure it is encrypted, and not accessible by a simple password.
Information security policies are useless if they are not followed.

http://harrisonpensa.com/lawyers/david-canton/

Proposed Internet Surveillance bill ill advised

Posted on May 20, 2011 by David Canton

Michael Geist has written a good article in the Ottawa Citizen disucssing why the proposed “lawful access” internet surveillance law should not be passed.

From teh article:

Lawful access raises genuine privacy and free speech concerns, particularly given the fact the government has never provided adequate evidence on the need for it, it has never been subject to committee review, and it would cost millions to implement yet there has been no disclosure on who would actually pay for it. Given this, it is not surprising that every privacy commissioner in Canada has signed a joint letter expressing their concerns.

Like David Fraser and Michael, I have ranted on this before. I have a real problem with legislation that erodes privacy and requires ISP’s or others to retain information for the sole purpose of government access to it. And when that access is not tempered by the need for a warrant.

Issues include erosion of privacy, the potential for misuse of the information (intentionally, accidentally, or creeping uses) the costs of ISP’s to comply, and whether the measures will actually have any meaningful impact on crime.

Log-in demand crosses line

Posted on April 4, 2011 by David Canton

For the London Free Press – April 4, 2011

Read this on Canoe

Employers who want applicants’ social media log-ins to check them out are going too far

It not unusual for employers to conduct Google searches on prospective employees or check their public social media feeds. But prospective employer’s requests for job applicants’ social media log-in IDs and passwords crosses the line.

Unfortunately, some people have felt no choice but to comply given the unequal bargaining power between the parties and their need to obtain or keep a job.

The British Columbia New Democratic Party has required candidates to reveal their social media IDs and passwords so the party can search for potentially embarrassing material. So far, all the candidates have apparently complied, except for one.

In Maryland, the department business law of public safety and correctional services requested applicants’ social media information as a standard part of its hiring and recertification process. The American Civil Liberties Union of Maryland has requested that the department change its policy.

In Bozeman, Mont., the city instituted a policy requiring job applicants to provide their social media log-in information. This prompted widespread criticism that resulted in the city promptly abandoning the policy.

There is a fine line between being well-informed about employees and potential employees and invading an individual’s privacy. Asking for social media log-ins clearly crosses that line.

For many social media users, Facebook messaging is replacing their telephone calls, e-mails and meetings. An employer asking for access to these messages is the practical equivalent of asking if it can tap phones, monitor e-mails or listen in on conversations.

These are violations of reasonable expectations of privacy. Communications via social media should not be treated differently. With many social media sites, giving out your log-in ID and password is a violation of their terms of use.

Having someone’s IDs and passwords means you can do anything on that site the individual can do. One has to wonder what else those entities demanding passwords do with personal information.

An employer may learn about such things as applicants’ religious views or disabilities on which they’re not permitted to base hiring decisions. If the candidate is not hired, this could lead to a discrimination claim.

Tracking online users

Posted on March 1, 2011 by David Canton

David Fraser has a good post on his Canadian Privacy Law Blog called Tracking Internet miscreants that talks about the process of tracking down anonymous people for litigation purposes.

David includes a slide deck from a presentation he gave at a Canadian Bar Association meeting that talks about the legal process to do that. He also details the extent of the tracks we leave online, and the staying power of those tracks.

Safeguarding client information

Posted on February 23, 2011 by David Canton

That’s the title of my Slaw post for today. While the webinar was based on lawyer and client information, the principles apply to almost anyone. It reads as follows:

I attended a webinar today by the CBA entitled Safeguarding your Client’s Confidential Information – Tips and Traps. Presented by David Fraser and Dominic Jaar.

Here are some of the highlights.

Quote from security expert Bruce Schneier:

“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.”

This is primarily a people issue – requires training and understanding. It’s not just about technology.

Ethical rules. Not just rules against gossip and intentionally disclosing client information.

Includes an obligation to safeguard all of the information about a client against misuse and disclosure.

Privacy laws also apply.

For example, PIPEDA requires safeguards against:

Loss or theft,

Unauthorized access,

Disclosure,

Copying,

Use, or

Modification.

Cradle to grave protection is required – disposal of paper and any computer memory (no matter where it is – computer, fax machine, jump-drive, smartphone, etc.) must be done by shredder or other method of destruction.

When using social media be cautious about whether to separate personal from professional.

When crossing borders – customs have broad ability to look at your laptop. Best solution is to not cross the border with client materials on laptop. Some lawyers use clean loaner laptop when travelling, and access client info remotely.

The biggest threat to security – is you, the user.

Encourages encryption of all client data on portable devices such as laptops, jumpdrives and smartphones.

Think it can’t happen to you? 86,000 lost or stolen laptops per year.

Make sure you change the default settings for admin usernames and passwords on hardware. Don’t forget Bluetooth.

Check password strength here: https://www.microsoft.com/security/pc-security/password-checker.aspx?WT.mc_id=Site_Link

Consider this tool: http://passwordsafe.sourceforge.net/

If use cloud – make sure both communication channel and storage is encrypted.

Wipe metadata from word documents you create. Is easy to do in current Word versions. Converting to pdf is not enough.

Privacy dangers of smartphones

Posted on January 14, 2011 by David Canton

David Fraser has a post entitled Your smartphone could be your most dangerous possession, so secure it.

David states, in part

After a decision out of California which found that police are able to rummage through all your portable electronics incident to arrest, much attention has been focused on how much data people carry around with in their portable electronics. CNN Money is running a story with the descriptive title: Your smartphone could be your most dangerous possession.

David and I have commented before about the ability of customs agents to go though all your electronics. The California decision was based on the notion that the police looking at the contents of someone’s phone incidental to an arrest is no different than looking in their trunk or pockets. But with the amount of information that can be on our phones, it’s much more intrusive than that. Its more like looking through all one’s personal files, banking records, phone records, etc.

And its not just about what police and customs agents can look it, its the risk of losing a phone with all that personal information on it.

Take a look at David’s post for a link to an article about securing your phone.

Electronic Health Records

Posted on December 1, 2010 by David Canton

That’s the title of my Slaw post for today. It reads as follows:

eHealth has been a major and controversial topic lately. A lot of time and effort has been spent on it, as there are many issues such as costs, privacy, security, and standards.

I had an encounter with the health system recently, and from my observations as a patient we need to keep this initiative moving, find ways to solve those issues, and stop using paper. I paid particular attention to the paper and documents that were created. Throughout the process, I was asked the same thing multiple times. (Confirming who I was and what they were going to do multiple times to make sure they don’t make a mistake is welcome, though.) Once I noticed that a nurse was looking at one document, and copying information off it onto another. By the time it was over, the clipboard had many pieces of paper on it. No doubt some of that might be entered into an electronic record – which means double entry. And some of it will get left on the paper and put in a file somewhere never to be seen again.

The current health care record system has another fundamental flaw – in that records are centered around a particular doctor or hospital, when they should be patient centric. Health care providers would have much better information about us if they had access to all of our records from the various family doctors, specialists, dentists, etc. that we encounter over our lifetimes. That would lead to better treatment, and less time spent asking the same questions about things like family history and medications. Patient centric records would also allow us to take better charge of our own health needs, including preventative health care.

We have the technology, lets rebuild it.

David Canton

Technology law blog by a Canadian information technology and intellectual property law lawyer and trade-mark agent dealing with issues including software, copyright, privacy, the Internet, electronic commerce, computers

Tag Archives: security