From teh article:

Lawful access raises genuine privacy and free speech concerns, particularly given the fact the government has never provided adequate evidence on the need for it, it has never been subject to committee review, and it would cost millions to implement yet there has been no disclosure on who would actually pay for it. Given this, it is not surprising that every privacy commissioner in Canada has signed a joint letter expressing their concerns.

Like David Fraser and Michael, I have ranted on this before.   I have a real problem with legislation that erodes privacy and requires ISP’s or others to retain information for the sole purpose of government access to it. And when that access is not tempered by the need for a warrant.

Issues include erosion of privacy, the potential for misuse of the information (intentionally, accidentally, or creeping uses) the costs of ISP’s to comply, and whether the measures will actually have any meaningful impact on crime.

Read this on Canoe

Employers who want applicants’ social media log-ins to check them out are going too far

It not unusual for employers to conduct Google searches on prospective employees or check their public social media feeds. But prospective employer’s requests for job applicants’ social media log-in IDs and passwords crosses the line.

Unfortunately, some people have felt no choice but to comply given the unequal bargaining power between the parties and their need to obtain or keep a job.

The British Columbia New Democratic Party has required candidates to reveal their social media IDs and passwords so the party can search for potentially embarrassing material. So far, all the candidates have apparently complied, except for one.

In Maryland, the department business law of public safety and correctional services requested applicants’ social media information as a standard part of its hiring and recertification process. The American Civil Liberties Union of Maryland has requested that the department change its policy.

In Bozeman, Mont., the city instituted a policy requiring job applicants to provide their social media log-in information. This prompted widespread criticism that resulted in the city promptly abandoning the policy.

There is a fine line between being well-informed about employees and potential employees and invading an individual’s privacy. Asking for social media log-ins clearly crosses that line.

For many social media users, Facebook messaging is replacing their telephone calls, e-mails and meetings. An employer asking for access to these messages is the practical equivalent of asking if it can tap phones, monitor e-mails or listen in on conversations.

These are violations of reasonable expectations of privacy. Communications via social media should not be treated differently. With many social media sites, giving out your log-in ID and password is a violation of their terms of use.

Having someone’s IDs and passwords means you can do anything on that site the individual can do. One has to wonder what else those entities demanding passwords do with personal information.

An employer may learn about such things as applicants’ religious views or disabilities on which they’re not permitted to base hiring decisions. If the candidate is not hired, this could lead to a discrimination claim.

David includes a slide deck from a presentation he gave at a Canadian Bar Association meeting that talks about the legal process to do that.  He also details the extent of the tracks we leave online, and the staying power of those tracks.

I attended a webinar today by the CBA entitled Safeguarding your Client’s Confidential Information – Tips and Traps. Presented by David Fraser and Dominic Jaar.

Here are some of the highlights.

Quote from security expert Bruce Schneier:

“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.”

This is primarily a people issue – requires training and understanding. It’s not just about technology.

Ethical rules. Not just rules against gossip and intentionally disclosing client information.

Includes an obligation to safeguard all of the information about a client against misuse and disclosure.

Privacy laws also apply.

For example, PIPEDA requires safeguards against:

Loss or theft,

Unauthorized access,

Disclosure,

Copying,

Use, or

Modification.

Cradle to grave protection is required – disposal of paper and any computer memory (no matter where it is – computer, fax machine, jump-drive, smartphone, etc.) must be done by shredder or other method of destruction.

When using social media be cautious about whether to separate personal from professional.

When crossing borders – customs have broad ability to look at your laptop. Best solution is to not cross the border with client materials on laptop. Some lawyers use clean loaner laptop when travelling, and access client info remotely.

The biggest threat to security – is you, the user.

Encourages encryption of all client data on portable devices such as laptops, jumpdrives and smartphones.

Think it can’t happen to you? 86,000 lost or stolen laptops per year.

Make sure you change the default settings for admin usernames and passwords on hardware. Don’t forget Bluetooth.

Check password strength here: https://www.microsoft.com/security/pc-security/password-checker.aspx?WT.mc_id=Site_Link

Consider this tool: http://passwordsafe.sourceforge.net/

If use cloud – make sure both communication channel and storage is encrypted.

Wipe metadata from word documents you create. Is easy to do in current Word versions. Converting to pdf is not enough.

David states, in part

After a decision out of California which found that police are able to rummage through all your portable electronics incident to arrest, much attention has been focused on how much data people carry around with in their portable electronics. CNN Money is running a story with the descriptive title: Your smartphone could be your most dangerous possession.

David and I have commented before about the ability of customs agents to go though all your electronics.  The California decision was based on the notion that the police looking at the contents of someone’s phone incidental to an arrest is no different than looking in their trunk or pockets.  But with the amount of information that can be on our phones, it’s much more intrusive than that.  Its more like looking through all one’s personal files, banking records, phone records, etc.

And its not just about what police and customs agents can look it, its the risk of losing a phone with all that personal information on it.

Take a look at David’s post for a link to an article about securing your phone.

eHealth has been a major and controversial topic lately.  A lot of time and effort has been spent on it, as there are many issues such as costs,  privacy, security, and standards.

I had an encounter with the health system recently, and from my observations as a patient we need to keep this initiative moving, find ways to solve those issues, and stop using paper.  I paid particular attention to the paper and documents that were created.  Throughout the process, I was asked the same thing multiple times.  (Confirming who I was and what they were going to do multiple times to make sure they don’t make a mistake is welcome, though.) Once I noticed that a nurse was looking at one document, and copying information off it onto another.  By the time it was over, the clipboard had many pieces of paper on it.  No doubt some of that might be entered into an electronic record – which means double entry.  And some of it will get left on the paper and put in a file somewhere never to be seen again.

The current  health care record system has another fundamental flaw – in that records are centered around a particular doctor or hospital, when they should be patient centric.  Health care providers would have much better information about us if they had access to all of our records from the various family doctors, specialists, dentists, etc. that we encounter over our lifetimes.  That would lead to better treatment, and less time spent asking the same questions about things like family history and medications.  Patient centric records would also allow us to take better charge of our own health needs, including preventative health care.

We have the technology, lets rebuild it.

Read this on Canoe

Security: New report uncovers substantial deficiencies in protection by numerous federal agencies

When it comes to the protection of privacy, Canada’s federal agencies have some serious changes to make.

In its 2009-2010 annual report on the Privacy Act, Canada’s Office of the Privacy Commissioner exposed significant deficiencies in privacy protection by a slew of federal agencies.

The privacy commissioner examined five major federal entities, and found none of them had fully assessed the threats and risks inherent in using wireless communication.

Though most afforded the recommended level of encryption, only three of them required strong password protection for smart phones, and none insisted that data stored on the phones be encrypted. Certain entities were also found to have inadequate encryption for wi-fi networks.

There were weaknesses in the management of surplus mobile devices. The privacy commissioner found only one of the organizations could demonstrate all phones were wiped of data before being sent for disposal.

Additional deficiencies were exposed in the area of disposal of personal information.

Though satisfactory policies and procedural rules were in place for the disposal of paper documents and surplus technology, the practical implementation of the policies was deficient.

Tests on surplus computers donated by 31 federal agencies to Canadian schools revealed 90% of the computers had not been thoroughly wiped of data. Confidential, highly sensitive and even classified data remained on many of the computers.

The report also highlighted some key investigations into inappropriate disclosures of personal information from 2009-2010.

As a result of both faulty procedures and deliberate malfeasance, federal agencies wrongfully exposed personal information on numerous occasions.

Dan wrote yesterday about what to do if hackers steal your online accounts.  As a companion to that, Yahoo!Canada has an article from Real Simple magazine entitled Scams Even you Could Fall For – And How to Avoid Them. 

It talks about things like phony gift card offers, mails that look like they come from your bank, sellers of fake items like event tickets, and fake charities. It also suggests some resources to use for checking to see if things are legit.  Sometimes just doing a Google or Bing search will ferret out if something is a common scam.

Fraudsters and malware distributors are always trying to stay 1 step ahead of spam filters, and often manage to get things through that look amazingly like legitimate messages from Facebook or other social networking sites.

Remember to be skeptical about communications that carry either really good news, really bad news, or that require some immediate action to avoid a dire consequence.  If, for example, you receive a message that purports to be from your bank – just call the bank at the number you have for them (not a number that thecommunication tells you.)  Instead of clicking on a link that says its to a facebook message, just log onto facebook in the normal way to see if there is a message there.

Most of us realize that merely deleting a file doesn’t really remove it from the hard drive or other storage media it resides on.  (For some background on this issue see a post I wrote a while back.)

Given how we use digital devices today – both for work and personal use – we can’t just abandon this issue to our firm IT staff.  Our personal computers at home, our phones, copiers, memory sticks and ipads all probably contain our own personal information, or personal or confidential information of others.  We need to manage that not only while we use those tools – but when we dispose of them as well.   Pulverizing them into dust – aka destruction to the smithereens level – is not always an option.

This Microsoft article is worth a read, as it explains the issue, has some suggestions to reduce the risks, and links to some disk erasing tools.

Nonetheless, it is important to recognize that a significant number of privacy breaches, and leaking of confidential information, are internal – whether that be from a system issue, human error, or an intentional action. 

We can’t just focus on preventing external access.