Monday, June 28, 2010

Mandatory Disclosures of Privacy Breaches in Saskatchewan

This headline popped up in my Star Phoenix news feed the other day:

"Province Ponders Revealing Privacy Breaches"

I quote, from the article:
"The issue here is this is people's private information," said NDP house leader Kevin Yates. "When your private information has been given to a third party, people have a right to know that, not only the individual but the public also has a right to know that if their information guarded by SGI . . . or held by any agency is allowed to be made public. That is of concern to everybody."
Kudos, Kevin Yates and everyone who agrees with this idea! Citizens should absolutely have a right to know about when their private data has been accidentally distributed to third parties.

To those of you who are on the fence: other organizations know a lot about you. Saskatchewan Health Region knows your health, the U of S knows your academic record, the Government knows your name, address, and SIN number. The fact that organizations are not legally obliged to disclose privacy breaches is crazy!

Here's an even better idea. What if the law required organizations to notify citizens of ANY time their personal information is disclosed (en masse) by any organization. This would mean that any time your information is lost, leaked, sold, accessed or otherwise distributed, you know about it. Let's assume there's a fair use exception, like if a contractor needs to let a subcontractor know your address for work you've hired the contractor to do.

There would be two immediate benefits to this system: For one, citizens have the benefit of knowing who is holding their private information. Secondly, if violators faced significant fines, organizations would have to tighten their control of private data - especially in Regina, where medical records have been found blowing around on the street.

On the scale of confidential, need-to-know, and right-to-know, I'd argue that when your personal information is involved, notification of privacy breaches should be a right.

Tuesday, June 22, 2010

Canadian Privacy Commissioner's Google Street View Probe: Let's Drop It

On Friday, May 14, 2010, Google announced that their camera-laden Street View cars had been inadvertently been collecting unencrypted wifi data:

"...we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products." (source: Google)
I recommend reading Google's entire explanation for an example of a perfect admission of wrongdoing and accompanying apology. Straight out of the good communication textbook, Google:
  1. Acknowledged their wrongdoing (collection of unsecured wifi data);
  2. Recognized feelings of anger, frustration, disappointment and betrayal;
  3. Took full responsibility for their actions;
  4. Explained their error without assigning blame;
  5. Offered a sincere apology;
  6. Offered an immediate fix for the problem (grounding of all Street View cars, contacting government regulators about how to dispose of the data).
In response, Canada's Office of the Privacy Commissioner is launching a full investigation into what happened (see link for news release).

Says Privacy Commissioner Jennifer Stoddart:

“We have a number of questions about how this collection could have happened and about the impact on people’s privacy. We’ve determined that an investigation is the best way to find the answers.”
But... don't we already have the answers? Google collects data, Google realizes mistake, Google releases details of exactly what happened and how, Google gets in touch with governments so they can delete this data properly. And because Google collected the data and not evil hackers, guess what the impact was: nothing.

I like the Office of the Privacy Commissioner. They're a taxpayer-funded office who promote and protect the individual privacy rights of Canadians - and I'm down with that. They've slapped Facebook into shape on more than one occasion. But do we need to be spending taxpayer dollars on an investigation where there isn't anything to investigate?

Canada isn't the only country getting up in arms. The Consumerist is reporting that 30 American states are banding together for an investigation of their own. 

Here's the real issue. The data in question that was collected by Google was pulled off unsecured wireless networks. In layman's terms, that's a network without a password and encryption. People were (in all fairness, unknowingly) broadcasting their internet interactions for the world to see. Yes, that includes emails and passwords!

Forget about Google, what about Wardriving? There are far less-responsible people and organizations than Google who are pulling information from unsecured networks all of the time. Suddenly, the fact that Google's sitting on information from our private networks is awesome - now that they have it, they can protect it, they know they have to get rid of it, and they can't use it maliciously. And they're good at security. When Chinese hackers hacked Google, Google hacked them back.

The Office of the Privacy Commissioner should be helping Canadians by lowering the number of people who are accessing the internet over unsecured networks. They should be developing ways to make sure products like routers and laptops are safe (privacy-wise) to use out of the box, and to promote the use of secure protocols to websites that handle sensitive information (banks, social networks, email, etc). They should be finding ways to better educate the public on taking privacy matters into their own hands. They should be working with Google to dispose of that private data as quickly as possible, rather than work against them through an investigation. They should be developing programs so that everyone can understand privacy and data in the digital age.

Forget about this investigation. It should be the end-user's responsibility to take steps to protect their own privacy. No user is perfect - I've helped lots of people with different computer issues, and I've made plenty of mistakes myself. No hardware is perfect - many wireless routers are "broken" out of the box, in that their out-of-box settings are terribly insecure. Lastly, no software is perfect - Google's Street View cars were obviously flawed.

Still, individuals must accept a higher degree of responsibility for their digital privacy and security. Nobody would paint their SIN number on the side of their house, yet there are plenty of unsecured wireless networks doing just that.

Saturday, June 19, 2010

The Internet Beyond Facebook

I deleted my Facebook account just before it was "cool" - at the end of April 2010. See? This is the Google Search Trends for the query "delete Facebook":
It was just after I read the Eroding Privacy Timeline, published by the Electronic Frontier Foundation, and right before these events happened:
Yes, May 2010 was a bad month for Facebook and I am glad I got out when I did (not that my account was actually deleted).

Here's a fair question of me: If I care so much about online privacy issues, why do I have a blog, a homepage, a Google/Gmail account, a Twitter account, etc?

For one, most of the online services I subscribe to have fairly easy-to-read and easy-to-digest privacy policies (example: Gmail. Counterexample: Facebook's privacy policies over time). Second, my favourite services often give me an easy way out - it's easy to delete accounts, unlike Facebook. Third, most of these services have spent a lot of time building and earning my trust as a user - Facebook has always been sketchy. Fourth, and perhaps most importantly, the services don't radically change over time, at least not to the insane degree that Facebook has changed from privacy-centric to advertiser-centric.

(I'll admit that the services I like aren't without flaws. I am a fan of Google products but they dropped the ball with Google Buzz when it was released).

There's a difference between leading a private life and the expectation of the right to privacy. For example, from Fall 2008 to Spring 2009 I spent months trying to get more information on the secret yellow tracking dots that colour laser printers use to identify document owners (it's not a conspiracy theory!). I got in touch with Lexmark and they eventually offered to give me a full refund on my years-old colour laser printer, but I was more concerned with the overall privacy issue at hand, not my personal privacy. I declined the offer.

Back on topic. Privacy issues aside, Facebook had evolved into a service that just wasted my time. I'd log in (several times per day, usually) and just creep updates. Then, I realized that the reasons most people used Facebook suddenly no longer applied to me!
  • Photo sharing - Facebook does this well, but there are free alternatives with more flexible privacy controls like Flickr and Google's Picasa.

  • Staying in touch with friends and family - That's why I have a phone (voice/text/BlackBerry Messenger) and email.

  • Reconnecting with old friends - There are lots of other ways to do this.

  • Connecting with organizations through Fan Pages - Often congested and ugly for big organizations and under-used and neglected for small ones. Also, this feature is now less about connecting and more about marketing.
I'm not arguing that everyone should delete their Facebook account; I am arguing no-one should feel trapped by something they optionally use. If you feel trapped, it's a sign you need to escape.

I felt cut off for the first few days after deleting my Facebook account, but now that it's gone, I don't feel like I am missing anything - I can waste my time doing other things! My subconscious urge to constantly check it is gone - I've escaped from the trap!

About Me

My name is Brahm. I finished University in April 2010, and already I miss writing. I am hoping this blog can satisfy that craving!

I'm interested in technology, privacy, communication, geeky stuff, technology, consumerism, Canadian and Saskatchewanian (is that a word yet?) news, and more. I've been thinking about some of these topics for a few weeks now and have a "to-write" list that I'm hoping to get through.

For more about me or the projects I've worked on, check out my website - http://brahm.ca.