Bill C-51 (Anti-Terrorist Act, 2015) passed by Senate despite massive opposition

Bill C-51 (Anti-Terrorist Act, 2015) has been passed by the Senate despite massive opposition against its privacy unfriendly invasive powers.  See, for example, commentary by the Canadian Civil Liberties Association, this article by security law professors entitled “Why Can’t Canada Get National Security Law Right“, and this post on .

Yet in the United States, the USA Freedom Act was just passed that pulled back a bit on the ability of the NSA to collect domestic data.

There seems to be no evidence that all this invasive spying and data collection actually reduces or prevents terrorism or crime.  The cost is enormous – both in terms of the direct cost of collecting, storing and analyzing it – and the costs to the economy.  A new report from the Information Technology and Innovation Foundation says that US companies will likely lose more than $35 billion in foreign business as a result of NSA operations.

And that’s not to mention the cost to civil liberties and privacy.  As many people have pointed out, 1984 was supposed to be a warning, not an instruction manual.

1984 warning

Cross-posted to Slaw

Happy World Backup Day

Today is world backup day, a reminder of how important it is to back up our data – and to do it daily.

(I have not been able to figure out the origins of this day – Wikipedia doesn’t even have an entry for it – but the sentiment is a good one.)

For just one example, if your defenses are down and you get hit with a Crypto Virus that locks up all your files, you can restore your files from yesterday’s backup, rather than paying the ransom.

For practical thoughts on some things to consider about how and why to back up all your data, take a look at this article by David Bilinsky.

Also take a look at this infographic by Cloudwards – a cloud storage promoter – that has some info about the causes of lost data, and issues to consider around backup solutions. – World Backup Day 2015
Courtesy of:

Russian hackers amass 1.2 billion username/password combinations

A New York Times story says that: “A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses…”.  This was discovered by a company called Hold Security, that so far has not named the sites.  I’m a bit skeptical of the news, however, when Hold Security has a paid service to find out if your site is affected by this.

This emphasizes yet again the importance of using proper passwords and taking advantage of multi-factor authentication wherever it is offered.

Since the only good password is one we can’t possible remember, and they should be different for each site, the best approach is to use a password manager.  Password managers both create strong unique passwords and save them for you.  Here’s a recent PC Mag article on The Best Password Managers.

Make sure your password to get into your password manager is a strong one, and take advantage of multifactor authentication for it.  Make sure you have a backup copy of those passwords.  And lets hope that the password manager sites have protected themselves strongly enough that they can’t be compromised.

Cross posted to Slaw

Are you vulnerable to Heartbleed?

A serious flaw has been discovered in OpenSSL – the browser encryption standard used by an estimated two-thirds of the servers on the internet.  This flaw has been there for a couple of years, and allows hackers to read data stored in memory.  That gives hackers access to anything in memory, including security keys, user names and passwords, emails and documents.  More detail is on Gigaom and Schneier on Security.

An update to OpenSSL fixes the flaw.  Anyone who has a website should ask their service provider if it affects their site, and have it updated immediately.

And for those of you still using Windows XP or Office 2003 – upgrade that immediately as well.  I was surprised to read this morning that as many as 30% of Windows based computers still use XP.  As of today, Microsoft is no longer supporting them.

[cross-posted on Slaw]

NSA spying – musings about the surveillance state

Today’s Slaw post:

Much has been written about the NSA / Prism communications monitoring scandal over the last few days, including Simon’s recent post. Many things are unclear, and there are more questions than answers, but these things are clear to me.

Some people defend or trivialize it by saying that actual phone conversations and emails are not being monitored – just metadata. Metadata simply means data about data – it doesn’t mean that it is innocuous or public. The phone “just metadata” being tracked is equivalent to looking at one’s phone bill – numbers called, duration, etc. That definitely contains personal information which raises serious privacy issues. Reminds me of the “it’s just allergies” allergy medication ads.

Another comment that is supposed to make it better is that US citizens are not being targeted by the NSA. Who is targeted doesn’t change the fact that personal information on citizens is being collected and retained. And why is it somehow acceptable to spy on and violate the privacy of people in other countries?

Some ask why it is okay for Google to use knowledge it gains from searching your e-mails to sell advertising, but not okay for Google to pass it on to the government. There is a huge difference. Google serves up those ads without knowing or retaining the identity of the recipient. Privacy principles apply to contextual or behavioural advertising and contextual information (such as Google Now), and we can opt out of receiving it. Privacy obligations limit how long personal information is retained, who it can be disclosed to, and how it can be used. None of those concepts apply to NSA monitoring, and opting out is not an option. The devil is in the details when it comes to privacy, security and surveillance.

Edward Snowden, the person who leaked the information that started this, is apparently hiding in Hong Kong, and US authorities are eager to get him back to the US and charge him criminally. If he had done the same thing in certain countries in the Middle East or Asia, people in the US would be praise him as a hero and chastise the government for its retaliation against him. If those countries were doing the same surveillance as the NSA is, those in the US would demonize the state for its unacceptable assault on civil liberties and privacy.

I do not welcome the surveillance state.

There is secure, then there is secure

Today’s Slaw post

This ars technica article points out that Microsoft scans Skype message contents for signs of fraud, which means that Microsoft can read them.  While Skype messages may be encrypted to prevent third parties from reading them, that apparently does not apply to Microsoft. 

This is not just a Microsoft issue.  Other providers of communication and data storage may also be able to do that for certain services (Facebook, Google).  A close read of various service provider terms of use and privacy policies show they have the option to review data.  It is usually intended as a way to control things like spam and fraud or violations of acceptable use policies.

Users will have to decide if they require true end to end encryption where the service provider can’t access data at all, or whether they can accept service provider access and rely on contractual promises on what the service provider will do with that.  The answer may vary depending on the sensitivity of the information being stored or communicated by the service, or legal or contractual obligations one has regarding the information.

Gadgets encroach on privacy

For the London Free Press – April 8, 2013 – Read this at 

Machines that become self-aware and rebel against their human creators is a popular science fiction theme. A threat more immediate than Terminator’s Skynet or BSG’s rebelling “toasters” is that of our belongings spying on us.

As technology becomes more sophisticated, it enables more intrusion into individual privacy. Our belongings increasingly generate information about us, and the Internet will make more of our belongings — such as our homes and appliances — connected and able to share that information.

The use of data tracking and collecting by cars and smartphones are good examples.

Our smartphones and the applications we use every day are collecting more and more information about us. The inclusion of “black boxes” in cars also allows this same intrusion.

Many of us have smartphones. This new terminology provides an accurate description of how powerful these devices have become. Most people are focused, and understandably excited, about the capabilities they have provided. But there is a less of a focus on the sheer amount of personal information they can provide to various third parties and what potential impact this could have in the future.

The average smartphone user would likely use their phone for e-mail, Facebook, Twitter, GPS and even personal banking. With simple access to a person’s phone, organizations would be able to obtain almost a complete profile of a person and have access to all of their personal data. Modern smartphones contain little in terms of disclosing who and where this information is held and what steps are being taken to protect it.

Personal data collection has also increased considerably in cars. Though the concept of a talking car in Knight Rider seemed to be a ridiculous idea when the show first aired, we are closer to that day than ever.

For example, some car insurance companies offer discounts to people who provide them with black-box information about their cars, such as where and when they drive and how fast they drive. Though this information can be useful assisting insurance adjusters and the police to determine liability in the event of a crash, this also can be viewed as extremely intrusive.

This is not meant to suggest technological developments should be stopped, but there does need to be a real effort to think things through. What information is collected? Is that information really needed? Is it stored on the device or somewhere else? For how long is it stored? Who has access to it? For what purpose can they use it? If others have access, is it made anonymous or tied to an individual? What choices do we as individuals have over this information?

Do we feel comfortable with cellphone providers, car manufacturers, insurance companies and police knowing our every move?

How the dissemination of this information will be controlled by the courts and balanced with individual rights will develop over time. The Ontario Court of Appeal recently held that police can access, without a warrant, a phone of a person being arrested that does not contain a passcode.

On the other hand, the Supreme Court of Canada recently ruled a wiretap warrant is needed for police to obtain access to text messages in the possession of a cell company.

Some argue this collection and sharing of information should be OK for those who have “nothing to hide”, but it is a much more complex matter than that.

Privacy breaches often caused by simple things

Today’s Slaw post:

Privacy breaches are often caused by simple things that should be easy to avoid. Take, for instance, the Elections Ontario lost USB keys. The Ontario Privacy Commissioner’s recent news release points to “systemic failures“, and failure to build privacy into their routine information management practices. The details point to a series of simple failures, including failure to follow a policy that required encryption, a lack of understanding of front line staff of how to encrypt or what that meant, and a continuation of the same practices after the loss. The Commissioner recomended that Elections Ontario retain a third party privacy auditor to look at their policies and procedures, develop a staff training program, and create accountability through a Privacy Officer.

Privacy is something that we all have to take some ownership of. Lost or stolen media is a common problem. Take, for example, this excerpt from a recent neighbourhood watch report about several cars being broken into where stolenitems included “Oakley sunglasses, Maui Jim sunglasses, an ipod, gps, … various other items including a external hard drive with important business info on it.” It would seem to be an easy matter to just not leave anything visible in your car – and to never leave hard drives or other devices in a car even if they are hidden. But nobody thinks it will happen to them.

Elections Ontario Privacy Breach

Today’s Slaw post:

Elections Ontario has just disclosed that they lost USB drives containing personal information on as many as 2.4 million voters. The USB drives were supposed to be password-protected, encoded and kept in a locked area accessible only to specific staffers – but were not. The Ontario Privacy Commissioner, Ann Cavoukian, is investigating. Her initial comment:

I am deeply disturbed that a breach of this extent, the largest in Ontario history, involving millions of individuals, could happen at Elections Ontario — the agency charged with protecting the integrity of our electoral process. . .

It is my expectation that personally identifiable information will not be stored on USB keys, laptops or other mobile devices — full stop. That is the message I have repeatedly given over the years.

This reminds us that:

  • A significant proportion of privacy breaches are caused by internal issues – not external hackers or thieves.
  • Any device small enough to be carried or lost is a prime candidate for data loss. Avoid keeping personal or sensitive information on them whenever possible, and if you must do it, make sure it is encrypted, and not accessible by a simple password.
  • Information security policies are useless if they are not followed.