Sunday, April 29, 2007

2K Bloggers: Anonymous Blogging

As a follow-up to my previous post, I highly recommend Elaine’s excellent post over at 2K Bloggers:

The EFF (Electronic Frontier Foundation) suggests these six things you should do to be anonymous: Use a Pseudonym and Don’t Give Away Any Identifying Details, Use Anonymizing Technologies, Use Ping Servers, Limit Your Audience, Don’t Be Googleable, Register Your Domain Name Anonymously. But there’s more you can do, too... Read the rest of Elaine's post here.

Some great tips for those who are concerned about the potential risks of blogging on sensitive topics.

Thursday, April 26, 2007

Google Search Blocks Canadian's Entry into U.S.

An alarming report from Tuesday’s Globe and Mail:

Nearly 40 years ago, a young psychotherapist embraced two-thirds of LSD guru Timothy Leary's advice to the Sixties generation to "turn on, tune in and drop out." Curious how LSD and other hallucinogens might be used in treating patients, Andrew Feldmar turned on and tuned in himself. But he never dropped out. And, no fan of the late Dr. Leary, Mr. Feldmar took his last hit of acid in 1974.

Thirty-two years, however, turned out to be but an instant in the long, unrelenting U.S. war on drugs. Last summer, in an incident that has just come to light, Mr. Feldmar, now 66, was banned from entering the United States because of his long-ago use of LSD. Because Mr. Feldmar had never been charged with possession of the once-popular illegal drug, privacy advocates are even more alarmed by the way U.S. border guards at the busy Peace Arch crossing near Vancouver found out about it.

The guards simply looked up Mr. Feldmar on the Internet and discovered his own article about using LSD, written for the scholarly, peer-reviewed journal Janus Head.

Eugene Oscapella, an Ottawa lawyer involved in privacy issues for 20 years, said the incident sends a frightening message to Internet users, particularly those who bare their souls online. "Don't ever put anything about any illegal activity on the Internet," Mr. Oscapella warned yesterday. "It leaves a digital footprint for all to see, and it's there forever. "We've gone beyond Orwellian measures. The state can now do things with a flick of the switch that used to be incredibly labour intensive."

In an earlier posting, I discussed the many risks that bloggers take in exposing personal information on the Internet with respect to employment and personal relationships. What’s most shocking about this incident is that Mr. Feldmar has never been convicted of a criminal offence and has crossed the border into the United States numerous times without issue. More disturbing than the power that border guards seem to wield is the fact that Mr. Feldmar felt compelled out of fear to sign a confession:

Mr. Feldmar was held at the border for five hours, before being allowed to return to Canada after signing an admission that he had once violated the U.S. Controlled Substance Act. He said he signed out of fear that he might be kept in custody even longer if he refused.

Willie Hicks, public affairs officer for the border crossing, said yesterday that Mr. Feldmar admitted violating U.S. drug laws "in a sworn statement. "I don't make the laws. That's the policy, and we enforce the laws at the border. It is up to the discretion of our officers who gets to go across."

A major blow to free speech and another reason to think twice before putting any of your personal information on the Internet.

Wednesday, April 25, 2007

The 7 Laws of Identity: User control in system design

As the level of fraudulent activity online grows, consumer confidence in e-commerce is increasingly threatened. In response, Kim Cameron, Chief Identity Architect at Microsoft developed the 7 Laws of Identity, in cooperation with a number of leading experts from around the world. At the recent Privacy and Security Conference in Victoria, British Columbia, Ann Cavoukian, Information and Privacy Commissioner of Ontario, presented a white paper proposing privacy-embedded laws of identity, based on Cameron’s 7 Laws.

The proposal would create an identity layer in software and web services. Programmers are urged to embed privacy capabilities based on the following seven laws:

Law #1 – User Control and Consent
The user must have control over how much information to provide and under what circumstances.

Law #2 – Minimal Disclosure for a Constrained Use
The user must only provide the least amount of information for a specific purpose.

Law #3 – Justifiable Parties
The disclosure of personally-identifiable information is limited to only those parties that have reason to require it in order to fulfill a specific purpose.

Law #4 – Directed Identity
Web sites and other technology should be unidirectional and shouldn’t be able to access your personal information without your prior consent.

Law #5 – Pluralism of Operators and Technologies
Systems should ensure that users can decide how much personal information to provide, depending upon the context. A “one size fits all” solution is not desirable where your personal information is concerned.

Law #6 – Human Integration
The ways in which users interact with systems must be done in a way that ensures users can more easily detect fraudulent websites and messages.

Law #7 – Consistent Experience Across Contexts
Systems are designed with standards and conventions that are easily recognizable to users, while allowing the user to exercise control between contexts.

More and more of our personal information is accessible than ever before and most of is controlled by others, in both the private and the public sectors. As more of our routine tasks and commerce take place on the Internet, the 7 Laws of Identity are a means for users to take back control of their personal information.

Monday, April 23, 2007

Google-DoubleClick Merger Privacy Threat

From Reuters:

Consumer privacy groups on Friday sought to derail Google Inc.'s $3.1 billion deal to buy online ad supplier DoubleClick Inc., filing a complaint with U.S. regulators to block the merger on privacy grounds.

Groups led by the Electronic Privacy Information Center have filed the complaint with the U.S. Federal Trade Commission arguing the merger would violate agreed limits on how much data advertisers collect on consumers and seeking an injunction.

"Google's proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world," the complaint by the privacy activist groups argues.

DoubleClick provides graphical ads from corporate marketers on thousands of sites across the Web. With the proposed merger, Google would emerge as an even more powerful force in the online ad market. Both Google and DoubleClick are denying that their data tracking capabilities would also be merged.

EPIC, along with the CDD (Centre for Digital Democracy) and US PIRG (Public Interest Research Group) are concerned about Google’s ability to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. The complaint urges the Federal Trade Commission to require Google to present a public plan to comply with well-established government and industry privacy standards such as the OECD Privacy Guidelines. The OECD guidelines include a fundamental principle of openness:
There should be a general policy of openness about developments, practices and
policies with respect to personal data. Means should be readily available of
establishing the existence and nature of personal data, and the main purposes of
their use, as well as the identity and usual residence of the data

EPIC led the move in 2000 to prevent DoubleClick from automatically combining data from a national marketing database it had acquired and its own anonymous data collected from the computers of Web surfers. DoubleClick eventually backed down and provided users with an “opt-out” option.

Corporate mergers of this type are a serious threat to privacy as search histories and web site visits could be combined, allowing an individual's activities to be tracked across a wide range of websites. In the U.S., the only law that specifically regulates privacy applies to children under the age of 13. EPIC is urging strong privacy legislation, similar to that in the EU and in Canada.

Sunday, April 22, 2007

Happy Earth Day

Off-topic for a bigger cause today... to celebrate, here are some of DivineCaroline's 50 Green Tips for Earth Day and Beyond. As a librarian, I especially want to endorse Tip # 14!

1. Lower your thermostat. Buy a programmable thermostat.
2. Reuse your water bottle. Avoid buying bottled water. In fact, reuse everything at least once, especially plastics.
3. Check out your bathroom. Use low-flow faucets, shower-heads, and toilets.
4. Start a compost in your back yard or on your rooftop.
5. Buy foods locally. Check out Eat Local Challenge and FoodRoutes to get started. Buy locally made products and locally produced services.
6. Buy in season.
7. Buy compact fluorescent light bulbs. You'll find more on energy-efficient products and practices at Energy Star.
8. Turn off lights and electronics when you leave the room. Unplug your cell phone charger from the wall when not using it. Turn off energy strips and surge protectors when not in use (especially overnight).
9. Recycle your newspapers.
10. Car pool. Connect with other commuters at eRideShare.
11. Consider a car sharing service like Zipcar.
12. Ride a bike.
13. Walk, jog, or run.
14. Go to your local library instead of buying new books.
15. At holidays and birthdays, give your family and friends the gift of saving the earth. Donate to their favorite environmental group, foundation, or organization

Read more tips. Small changes add up to a big difference!

Friday, April 20, 2007

12 Tips to Prevent Identity Theft

Identity theft is becoming an increasing problem, with over 160,000 cases reported in the U.S. in 2002 and over 7,000 that year in Canada. So much of our personal information is available in the cards we carry in our wallets, credit card receipts, bank statements and utility bills that it is easy to be careless and place our finances, personal property, credit history and reputation at risk.

Here are some tips from Safe Canada to protect yourself from identity theft:

  1. Sign all credit cards when you receive them and never lend them to anyone.

  2. Cancel and destroy credit cards you do not use and keep a list of the ones you use regularly.

  3. Carry only the identification information and credit cards that you actually need. Do not carry your social insurance card (Canada) or social security card (United States); leave it in a secure place. This applies also to your passport unless you need it for traveling out of country.

  4. Pay attention to your billing cycles and follow up with your creditors and utility companies if your bills do not arrive on time.

  5. Carefully check each of your monthly credit card statements. Immediately report lost or
    stolen credit cards and any discrepancies in your monthly statements to the issuing credit card company.

  6. Shred or destroy paperwork you no longer need, such as bank machine receipts, receipts from electronic and credit card purchases, utility bills, and any document that contains personal and/or financial information. Shred or destroy pre-approved credit card
    applications you do not want before putting them in the trash.

  7. Secure personal information in your home or office so that it is not readily accessible to others, who may have access to the premises.

  8. Do not give personal information out over the phone, through the mail, or over the
    Internet unless you are the one who initiated the contact and know the person or
    organization with whom you are dealing. Before you share such information,
    ensure that the organization is legitimate by checking its website to see if it
    has posted any fraud or scam alert when its name has been used improperly, or by
    calling its customer service number listed on your account statement or in the
    phone book.

  9. Password-protect your credit card, bank, and phone accounts, but do not keep a written record of your PIN number, social insurance or social security number, or computer passwords where an identity thief can easily find them. Do not carry such information in your purse or wallet.

  10. Order a copy of your credit report from the major credit reporting agencies at least once every year. Check with the credit bureaus to see whether there is a charge for this service. Make sure your credit report is accurate and includes only those activities that you have authorized.

I would also suggest that you never allow sales staff to put your receipt in the bag; it’s too easy to forget it, toss the bag and your credit card information along with it.

Also, never leave your signed credit card receipt on the table in a restaurant when you leave; always ensure that you hand it directly to your server before leaving the restaurant. Ideally, you should accompany the server when he or she swipes your credit card to ensure they are not “double-swiping”. Embarrassing, yes, as it implies you don’t trust the server, but most good restaurants should appreciate their customers’ concerns.

Identity theft can be a nightmare for the consumer. Start following these tips today to protect your identity.

For more information:

In Canada: Safe Canada

In the U.S.: Federal Trade Commission

In the U.K.: Home Office

Wednesday, April 18, 2007

Was your privacy breached today?

Consider these scenarios:

  • Your new husband’s ex-wife, who works for a medical office, looks up your medical records.

  • The mail delivery cart in a government office is left unattended in a public area while the mail clerk takes a coffee break.

  • You drop by your boss’s office to update her on your project and notice a disciplinary report on her desk, with the name of a fellow manager showing prominently on the front page

  • You open your annual pension plan update and discover someone else’s report is in the envelope instead of your own

  • A major retailer discovers that their network has been hacked, with potentially hundreds of thousands of customer credit card numbers accessed

  • Your friend in the benefits department tells you at lunch that a co-worker and mutual friend has been submitting claims for visits to a psychiatrist for the past several months.

Which of these scenarios would you consider to be a privacy breach? If you answered all of them, you would be right. According to Canadian privacy legislation, data that is collected or disclosed without authorization is considered a privacy breach. It doesn’t matter that the breach was overt, inadvertent or accidental; the consequences and implications are equally severe.

Security is a means to achieve privacy. Security is established through rigid policies and procedures, a code of ethics and regular training for staff. Security is also established on the information technology side by restricting data access to only those who need it. For example, the government health minister, responsible for overseeing policy direction for his jurisdiction does not require access to citizen health records to do his job, while a clerk responsible for verifying medical claims does require access to those records. While one might expect the health minister to understand the importance of ensuring the privacy of medical records, it is the staff member who actually accesses the records who is in most need of training. And often, these front-line staff are the least-trained in the organization, yet they have the greatest potential to cause a security breach, the majority of which will be accidental or inadvertent.

Organizations need to ensure that the staff who assume the greatest risk through their exposure to confidential information receive annual training about their obligations with respect to privacy legislation and the potential consequences of a privacy breach. Organizations also need a clear set of policies and procedures for dealing with privacy breaches.

Organizations need to ensure that their I.T. departments have adequate budgets to ensure regular upgrades to hardware and software, as well as regular training for their staff.

Governments also need to strengthen privacy legislation to ensure that organizations are accountable to the public in the event of a privacy breach. In the case of the recent TJ Maxx hacking, for example, most U.S. states and Canadian provinces had no legal requirement for the retailer to inform customers that their credit card data had been compromised. Monday's session at the Prairie health information privacy conference highlights the ongoing challenge that privacy breaches, inadvertent or otherwise, present to the public and private sector.

So think back on where you were today – where you work, where you shop, where you ate lunch, where you live – do you know if your privacy was breached today?

Monday, April 16, 2007

The future of privacy: lots of questions, no real answers

We live in a world where being connected and available 24/7 is taken for granted. Was I really born into a world where you drove around looking for a payphone and then hunted for a dime to make a call? Did I once really own one of those huge brick car phones? I remember at 15, my best friend taking me to her bank machine - the first and one and only for several years in my little hometown - and showing me how she could get money from the bank anytime she wanted. Amazing! Fast forward a few decades and if you're a teenager or college student and you're not on Facebook, well, you don't exist. Reality TV promises everyone 15 minutes of fame. Or you can join the masses and start a blog. Or set up shop in Second Life. It's not that we are ghosts in the machine; we are not real unless we are in the machine. It's all happened so fast.

This desire to be visible, to have a presence in a virtual space, is more than a bit unsettling to me. We all have ideas to share and questions to explore, that's why I started this blog. It is a research space for me to ask questions, to try to answer them, and to hopefully hear the thoughts of others on the topic. This makes sense to me and seems to have limited risk. What I find most unsettling is the way that many blogs and social networking sites encourage the individual to introduce all aspects of their personal life and most intimate thoughts into the public realm. It seems an enormous risk in a world where most Hollywood celebrities (Britney and Paris excepted, of course) are desperately trying to preserve the privacy of their personal lives.

A recent survey published Oct. 26, 2006, reported that "26 percent of hiring managers use search engines to check on potential hirees. Half of the manager respondents said they dismissed job candidates based on what they found using a search engine. Sixty-three percent crossed a candidate off their lists because of what he or she had put on a social networking site." Whether or not this is a fair or ethical approach for hiring managers to take is debatable: the fact is that individuals are willingly making more personal information available about themselves in a public forum than has ever been available historically. In what other ways could this information be used? By prospective romantic partners? By insurance companies? And how long will this information be "out there"? What control does one have once the information is published on the Web?

One could argue that adults need to be aware of the potential risks of what they post and consider the consequences. But what about those who share the personal information of others without their informed consent? Dooce's posts include a monthly hommage to her daughter Leta, which include photos, as well as many blog entries documenting her bowel habits. How will Leta feel about this when she's older? Will she consider it a violation of her privacy? Or, will she, along with the rest of her generation growing up in the spotlight of Mommy blogs and Facebook and MySpace not really differentiate between what should be public and what should be private?

The blurring of public and private is a disturbing trend, with potentially devastating consequences: so why do people feel compelled to "show-and-tell-all" online? That's for another post.

Wednesday, April 4, 2007

Smile... you're on Candid Camera

…and pick up that rubbish, mate!

From Reuters:

Britain will fit more surveillance cameras with loudspeakers allowing security staff to berate people spotted dropping litter, fighting or vandalizing property, the government said on Wednesday. Home Secretary John Reid hopes the talking cameras -- which have been on trial around the country -- will help cut crime. But critics say the idea is another lurch towards Britain becoming a ``surveillance society.'' …``Talking CCTV is another tool in creating safer communities,'' Reid said in a statement. ``It uses modern technology to allow camera operators to speak directly to people on the streets to stop or prevent them acting anti-socially.'' Louise Casey, a civil servant who co-ordinates the government's Respect campaign to tackle bad behavior, said people could ``face the shame of being publicly embarrassed.''

Britain is the most watched country in the world, with an estimated 4.2 million CCTV cameras, or one for every 14 people. As a result, surveillance has emerged as a thriving industry in Britain, where many residents seem eager to trade personal privacy for the perception that the cameras reduce crime and other anti-social behaviours. CCTV cameras are everywhere in Britain: the workplace, motorways, public squares and gathering areas, and many are choosing to install them inside their own homes. According to Privacy International:

CCTV is very quickly becoming an integral part of crime control policy, social control theory and 'Community consciousness'. It is promoted by police and politicians as primary solution for urban dysfunction.

But do these cameras really work, or do they just move the problems along to areas where there is no surveillance? Many dispute the statistics provided by law enforcement agencies and argue that the cameras are typically placed in “high-rent” districts and displace the criminal activities into more “low-rent” areas.

In addition to more public CCTV cameras, the Blair government is also planning to issue national identity cards with a corresponding database of personal information. No wonder even the UK's Information Commissioner has labeled Britain a “surveillance society”.

Monday, April 2, 2007

GMail Paper .... for some, it's no joke

I’m not sure how long this link will be available, but the gist of Gmail Paper is that you can click and print as much as you want on-line and Google will sort your print-outs and deliver them directly to you so you can have the satisfaction of maintaining a paper trail:

Everyone loves Gmail. But not everyone loves email, or the digital era. What ever happened to stamps, filing cabinets, and the mailman?

Well, you asked for it, and it’s here. We’re bringing it back.

A New Button
Now in Gmail, you can request a physical copy of any message with the click of a button, and we'll send it to you in the mail.
Simplicity Squared
Google will print all messages instantly and prepare them for delivery. Allow 2-4 business days for a parcel to arrive via post.
Total Control
A stack of Gmail Paper arrives in a box at your doorstep, and it’s yours to keep forever. You can read it, sort it, search it, touch it. Or even move it to the trash—the real trash. (Recycling is encouraged.)
Keep it Secret, Keep it Safe
Google takes privacy very seriously. But once your email is physically in your hands, it's as secure as you want to make it.

Google’s April Fool’s day joke is hardly a laughing matter for those of us responsible for an organization’s document management. Truth is, many of us are as addicted to paper as we are to e-mail, IM and our cellphones. This issue surfaced last week, when I was reviewing the status of paper records with staff at work, along with some reps from the company that provides the electronic document and record management system (EDRMS) that we will be implementing. Apparently, staff had been discussing the new system and many assumed that we would just continue to retain the paper versions in addition to the electronic copies on the EDRMS.

The fact is that many people are just not comfortable with the seemingly ephemeral quality of electronic documents which they feel could be too easily deleted or “lost”, while somehow the paper copy provides a sense of “permanence”. This, despite the fact that paper documents can easily be misfiled, lost, destroyed or altered, yet it seems the ability to hold something tangible and “real” in the hand provides a false sense of security that the electronic document cannot.

In British Columbia, the Electronic Transactions Act provides the framework for the acceptance of electronic documents in lieu of the original paper copy if:

- there exists a reliable assurance as to the integrity of the record in
electronic form, and;
- the record in electronic form is accessible by the person to whom it is provided and is capable of being retained by that person in a manner usable for subsequent reference.
- if there exists a reliable assurance as to the integrity of the record … i.e. the record has remained complete and unaltered, apart from the introduction of changes that arise in the normal course of communication, storage and display

- on provision or receipt of the record, the information, if any, that identifies the origin and destination of the record and the date and time when it was sent or received is also retained.

These standards serve to ensure the reliability and integrity of the electronic version of the document. The challenge is to build these standards into the EDRMS and to ensure that system backups are secure and redundant. Then it becomes a matter of educating employees so that they can let go of their “security blanket” and have the same level of confidence with the electronic document as they do with the paper version.

Sadly, I suspect that if Google were serious about offering the GMail Paper service, they would be flooded with customers ...