Security expert Bruce Schneier wrote an article for CNN entitled “Spy cameras won’t make us safer” that’s worth reading.

His basic premise is:

Pervasive security cameras don’t substantially reduce crime. This fact has been demonstrated repeatedly: in San Francisco, California, public housing; in a New York apartment complex; in Philadelphia, Pennsylvania; in Washington; in study after study in both the U.S. and the U.K. Nor are they instrumental in solving many crimes after the fact.

The Canadian Privacy Commissioner just invited interested parties to file written submissions on privacy issues surrounding cloud computing.  Also for expressions of interest from anyone wanting to take part in a formal panel discussion in June.

Cloud computing - however one defines it - can be a compelling model, as it can provide advantages in cost, simplicity, and scalability.

It can though, pose issues around things like privacy, confidentiality, security of data, business continuity, and disaster recovery.  The importance of those issues varies depending on how the particular cloud product works, what you use it for, and how mission critical it is.

Is the headlong rush to install body scanners in airports:

(a) an effective way to stop dangerous weapons getting on aircraft?

(b) a kneejerk reaction to the attempted underwear bombing?

(c) A massive, expensive invasion of privacy with no real benefit?

(d) More security theatre that makes it appear that something is being done, but accomplishes nothing?

(e) Wasting time and resources that could address the issue in more effective ways?

(f) Causing far more harm and inconvenience to air travellers than is justified by the small chance it will make a difference?

(g) Closing the barn door after the cows have all left?

These are questions we should be asking.   Here’s some food for thought:

From David Fraser:

http://www.privacylawyer.ca/blog/2010/01/pantsbomber-revives-debate-over-body.html

http://www.privacylawyer.ca/blog/2010/01/we-need-debate-on-privacy-impact-of.html

http://www.privacylawyer.ca/blog/2010/01/scary-and-funny-undressing-naked-truth.html

http://www.privacylawyer.ca/blog/2010/01/alberta-privacy-commissioner-has-some.html

UPDATE: As I was typing this, David added a good article on this topic on Slaw:  http://www.slaw.ca/2010/01/08/a-real-debate-about-privacy-and-security/

From Bruce Schneier:

http://www.schneier.com/blog/archives/2010/01/nate_silver_on.html

http://www.schneier.com/blog/archives/2010/01/another_contest.html

http://www.schneier.com/blog/archives/2010/01/airport_securit_12.html

That’s the title of my Slaw post for today.  It reads as follows:

For The London Free Press – November 30, 2009

Read this on Canoe

TRAVEL: The practical reality is we have no control over these computer searches, so it’s wise to be prepared

Last summer, directives were issued by the U.S. Department of Homeland Security for searches of computers and other electronic devices at U.S. border points.

The stated goal was to combat crime and terrorism while still protecting personal privacy and civil liberties.

The directives allow border agents to search, detain, copy or examine any electronic device capable of storing electronic information for any reason.

As Homeland Security Secretary Janet Napolitano said at the time, “The new directives . . . strike the balance between respecting the civil liberties and privacy of all travellers while ensuring (Department of Homeland Security) can take the lawful actions necessary to secure our borders.”

Where “sensitive” information in involved, including solicitor-client privilege and medical records, border guards are directed to consult with agency counsel or the local U.S. Attorney’s office. But any information outside of this narrow privileged category may be searched.

Whether such searches truly accomplish the goal is questionable. As information freely flows across borders via the Internet, physical searches of computers will be of little use. And laws such as copyright are so fact-dependent, and even pose challenges to courts trying to sort out what is allowable, that it’s not a decision a border agent should make.

The practical reality is that we have no control over these border searches. So the Canadian Bar Association (CBA) has published a list of suggestions for lawyers crossing the border with laptops or electronic devices.

While the association published its work for the legal community, the suggestions are valuable for anyone entering the U.S. with an electronic device containing sensitive or confidential information.

The full text can be found at www.cba.org/CBA/PracticeLink/ TAYP/laptopborderupdate.aspx, but here are some of the most helpful tips:

- Travel with a “bare” computer that contains only the most essential information. Ensure that all work with data is done via a secure virtual private network (VPN). Consider using SaaS (software as a service) programs based on the Internet, rather than your computer’s hard drive.

- Turn off your computer early: At least five minutes before you get to U.S. Customs, make sure your computer is turned off so unencrypted information in your computer’s RAM has adequate time to void itself.

- Back up your data: Self-explanatory.

- Store data on small devices: Smaller devices can be carried more inconspicuously.

- Protect your phone and PDA: Phones now carry a considerable amount of information and needed to be kept as “clean” as possible in case they’re confiscated.

- ‘Clean’ your laptop once it’s returned: This will ensure that no programs or spyware have been installed on your computer.

In summary, the prudent approach for taking a computer into the U.S. is to ensure it contains no confidential, sensitive or privileged information.

Don’t rely on encryption, because the border agent may simply ask for your password.

The better approach is to leave all information on a Canadian server and access it remotely once in the U.S.

For the London Free Press – November 9, 2009

Read this on Canoe

PRIVACY: Sixty-five incidents were reported in 2008, leaving personal information exposed for all to see

Federal Privacy Commissioner Jennifer Stoddart recently released her annual report to Parliament on PIPEDA, the private-sector privacy law.

While her comments on social networking were highlighted and widely reported by the media, the report contained some other interesting trends that have not been as widely discussed.

One of the most notable developments related to the increasing regularity with which personal information is being released without the knowledge or consent of individuals.

Last year’s Personal Information Protection and Electronic Documents Act (PIPEDA) annual report called 2007 the year of the data breach. A data breach is an incident involving loss of, unauthorized access to, or disclosure of personal information as a result of a breach of an organization’s security safeguards.

The number of reported data breaches has been on the rise in recent years, from 23 in 2006, to 48 in 2007, to 65 reported incidents in 2008. These breaches can leave personal information exposed for anyone to see.

For instance, in 2006, a large financial institution sent a portable computer disk drive containing electronic files of nearly half a million customers from one office branch to another. The parcel arrived as intended but the disk drive had been removed.

The disk drive has never been found and it’s unclear what happened to the missing data. The incident prompted Stoddart to launch an investigation into data encryption and supervision in data transfer.

The unanswered question in the report is whether there are more data breaches today or if they are just being more frequently reported.

Stoddart notes that her office has been encouraging organizations to report breaches to develop a better understanding of why violations occur and how they can be prevented.

The report breaks data breaches into four types: Unauthorized access, accidental disclosure, theft and loss.

Unauthorized access is the most common. This is when someone accesses personal information without authority to do so. This is often a rogue employee motivated by fraud.

Accidental disclosure is usually the result of human error. In these cases, employees have unintentionally shared data through mailing foul-ups, improper destruction and disposal, online disclosure, e-mailing errors or errant faxing.

Theft and loss are involved in a little less than a quarter of all data breach incidents. This involves information being stolen from vehicles, offices and courier mailbags.

The report identifies these steps that organizations should consider the following issues to reduce the risk of data breaches:

- Ensure personal information is accessible only on a “need to know” basis.

- Administrative procedures, including destruction and disposal practices.

- Third-party service provider capacity to protect personal information.

- Security and procedures related to employees taking data out of the office.

Each of these should be carefully considered by businesses dealing with sensitive data. A data breach can result in both privacy complaints and significant damage to the reputation of the business.

That’s the title of my Slaw post for today.  It reads as follows:

A CBS news article says that blueprints of Obama’s helicopter were found on a computer in Tehran. How did it get there?

Seems that a defense contractor legitimately had the documents. An employee saved it on her home PC. That home PC contained, like many do, file sharing software. But that employee did not realize that the file sharing software was configured to share the folder it was put in.

In other words, if anyone anywhere using that file sharing software/network did a search, they could find and download that document.

This danger is not new – but its a good reminder for law firms to be vigilant about where confidential and client documents are stored – even temporarily. Its not unusual for those within law firms to work from home occasionally.

All file sharing software should be set to either not share anything, or to share only files contained in specified folders that one purposely decides to share.

Any lawyers who read this might find this upcoming CLE program interesting/useful.  It is described as:

In an increasingly paperless world, you no longer need to leave the office with a full briefcase. Are you sacrificing your clients’ confidentiality by your increased use of technology? Attend this program to learn the essentials of metadata, encryption, and security for your mobile practice and what steps you need to take to protect yourself and your clients in this new technology-driven world.

I’m not just saying this because I’m moderating the program.   We have some very capable speakers to help work our way through these important issues.

For the London Free Press – September 14, 2009

Read this on Canoe

Financial gain, notoriety and mischief are main motivators for unscrupulous ‘Net users, report says.

Symantec, maker of Norton Antivirus, recently released its mid-year update of 2009 Security Trends.

Security threats range for simple annoying spam to malware intended to cause damage to systems, to phishing attempts to obtain information leading to identity theft.

The following summarizes their top five security threats as well as some newly recognized threats.

- There has been an influx of new malware variants. In other words, attackers continue to develop new types of threats and deliver them in various ways. This leads to an increasingly large number of distinct threats.

Symantec says it blocks an average of more than 245 million attempted attacks each month, the vast majority of which are new threats. Detection methods required to repel these attacks continue to evolve. Different detection methods are often combined for better results.

- The global economic crisis has been the impetus for new security threats. Some prey on the latest trends and vulnerabilities, including an increase in things such as fake “work at home” schemes, and variations targeting employment ads. Other scams try to take advantage of homeowners under foreclosure or seeking mortgage refinancing.

- The popularity of social networking sites such as Facebook have made them a constant target for security attacks and scams. This threat has continued as scams attack through the use of compromised accounts, games and surveys which have the potential to collect lucrative information about users.

- Spam levels continue to rise, and will eventually comprise 75% to 80% of all e-mail. Spam volumes remain high despite ongoing successful efforts to shut down spam sites.

- Advanced web threats and malicious activity remain an increasing problem. Many such attacks occur against users of legitimate websites who are falsely redirected to malicious content. Forms of infection have been through “drive-by” downloads and attacks on social networking sites. Further attacks have occurred through plug-in applications and cross-site scripting.

Some of the more recent threats combined new threats with those used in previous years. An example is the use of characteristics of the CodeRed and Nimda threats in the Conficker worm, one of the “most complex and widely spread” threats in recent years.

Conficker was serious enough that last February, the Conficker Working Group, a panel of industry leaders and academics, was formed to help come up with a co-ordinated, global response.

Though many attacks are motivated by financial gain, others are motivated by the quest for notoriety and/or mischief.

The bottom line for both commercial and personal users of the Internet is that it is crucial to have protection in place to lessen the risks of spam, viruses, and malware in general.

That includes making sure firewalls are properly configured, and having regularly updated anti-virus software.

And be skeptical about any e-mail that doesn’t look right, or seems too good to be true.

In the “you’ve got to be kidding” category is a post on Wired Gadget Lab that refers to an article in the Daily Express that says the UK government is going to put 20,000 UK “problem families” under 24 hour CCTV supervision in their own homes.

And if you subscribe to the “if you’ve got nothing to hide, there’s nothing to worry about” line that we hear all too often, take a look at arguments against that in these articles by Bruce Schneier and Prof Daniel Solove and from the Washington Post.