Three Laws for Web Pages

Wunderlich's Three Laws for Web Sites

(with all due reverence to Asimov)

No web site may violate a human being's right to privacy, or through inaction [1], allow a human being's privacy to be violated.

A web site must respect a human being's consent with respect to her personal information, even if it conflicts with the first law.

A web site must protect it's own existence as long as such protection does not conflict with the 1st or 2nd law.

[1] Inaction includes not taking responsibility for what ad networks are doing with your users' information.

Test Post

Test Post

January 7, 2015

This is a test post, please disregard

Privacy UX

Privacy by Design: UX & UI

With the announcement of IOS 7 elements of the blogosphere have become awash in commentary back and forth about the new design. Does the fact that Apple has chosen Helvetica Ultra Light as the default font have implications for privacy? Not so much. But privacy and design are connected, and all the commentary that I’m seeing about Apple’s new mobile operating system are focussed on the immediate and and the transient. This makes me think about Privacy by Design (PbD).

The focus around IOS 7 is on what the immediate user experience (IUX if you will). Focussing on the IUX is, I would argue, what gets organizations in trouble and does not meet PbD principle #1 - Proactive & Preventative. This is because the user experience of privacy is not immediate, except in the obvious egregious cases such as where web sites demand personal information for registration. A user’s privacy experience with an organization is cumulative and evolves transaction by transaction. 

This is not to say that the IUX is not important. Of course it is, and it is the result of well thought through user interface choices, one of which is Privacy by Design principle #2 - Privacy as the default setting. But have designers fulfilled their PbD goals by making privacy options both available and the default? Again, not so much. On the face of it, by doing this designers will have met most of the PbD requirements:

Designers have proactively included privacy interface features

The system has privacy protective default settings

The system has embedded privacy protective options

Designer ensures that there is full functionality 

Architects ensure the site is designed with end to end security

Privacy officers ensure that the privacy is visible and transparent

By focussing on UI and UX, designers assume that they are user-centric

So what’s the problem? It’s a variant of the old saw in computer programming, when the programmer asks for a set of requirements and builds a prototype for their customer. When shown the prototype, the customer shakes their head and says, “You’ve given me everything I asked for, but that’s not what I wanted." Privacy, it seems to me, is the same thing. If designers focus on the immediate experience they are likely to encounter unintended consequences down the road. Data that is accumulated over time is called longitudinal data. This is the kind of data that is used for epidemiological studies, or changes in a population over time. So I propose to borrow the term and suggest that Privacy by Design requires an understanding of the Longitudinal User Experience (LUX).

Only when system designers study the long term impacts on user privacy will they be proactively addressing and preventing privacy issues. This includes checking back with users on a regular basis for privacy status checks and validation, proactively notifying users of changes impacting their privacy and not implementing changes that could reasonably be construed to be less privacy protective than existing design choices. Above all, it means recognizing that privacy is embodied in the relationship and transactions with the users, not in a series of policy statements.

Bear with me, but this reminds me about a joke about a couple. She says, “You haven’t told me you love me in a long time." He replies, “I told you once, and I’ll let you know if the situation changes". That attitude doesn’t work in relationships and saying, “We told you that we would protect your privacy when you signed on to the service, and will let you know if that changes" doesn’t work that well either.

Meeting the PbD Proactivity principle means regularly engaging with your users about privacy, without beating them over the head with policy statements. Their user experience, in every transaction, needs to reflect your ongoing commitment to giving them control over the information you collect about them. Sometimes that means sacrificing immediate gratification for long term satisfaction. That’s how adults behave, and that’s how you prevent the need for remedial action.

Definitions

User Experience: According to the Wikipedia entry on User Experience: ISO 9241-210[1] defines user experience as “a person’s perceptions and responses that result from the use or anticipated use of a product, system or service". According to the ISO definition user experience includes all the users’ emotions, beliefs, preferences, perceptions, physical and psychological responses, behaviors and accomplishments that occur before, during and after use. The ISO also list three factors that influence user experience: system, user and the context of use.

User Interface: According to the Wikipedia entry on User Interface: The user interface, in the industrial design field of human–machine interaction, is the space where interaction between humans and machines occurs. The goal of this interaction is effective operation and control of the machine on the user’s end, and feedback from the machine, which aids the operator in making operational decisions. Examples of this broad concept of user interfaces include the interactive aspects of computer operating systems, hand tools, heavy machinery operator controls, and process controls. The design considerations applicable when creating user interfaces are related to or involve such disciplines as ergonomics and psychology.

All Those Companies that Can't Afford Dedicated Security

All Those Companies that Can't Afford Dedicated Security:

This is interesting:

In the security practice, we have our own version of no-man's land, and that's midsize companies. Wendy Nather refers to these folks as being below the "Security Poverty Line." These folks have a couple hundred to a couple thousand employees. That's big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything. These folks are caught between the baseline and the service box. They default to compliance mandates like PCI-DSS because they don't know any better. And the attackers seem to sneak those passing shots by them on a seemingly regular basis.

[...]

Back when I was on the vendor side, I'd joke about how 800 security companies chased 1,000 customers -- meaning most of the effort was focus on the 1,000 largest customers in the world. But I wasn't joking. Every VP of sales talks about how it takes the same amount of work to sell to a Fortune-class enterprise as it does to sell into the midmarket. They aren't wrong, and it leaves a huge gap in the applicable solutions for the midmarket.

[...]

To be clear, folks in security no-man's land don't go to the RSA Conference, probably don't read security pubs, or follow the security echo chamber on Twitter. They are too busy fighting fires and trying to keep things operational. And that's fine. But all of the industry gatherings just remind me that the industry's machinery is geared toward the large enterprise, not the unfortunate 5 million other companies in the world that really need the help.

I've seen this trend, and I think it's a result of the increasing sophistication of the IT industry. Today, it's increasingly rare for organizations to have bespoke security, just as it's increasingly rare for them to have bespoke IT. It's only the larger organizations that can afford it. Everyone else is increasingly outsourcing its IT to cloud providers. These providers are taking care of security -- although we can certainly argue about how good a job they're doing -- so that the organizations themselves don't have to. A company whose email consists entirely of Gmail accounts, whose payroll is entirely outsourced to Paychex, whose customer tracking system is entirely on Salesforce.com, and so on -- and who increasingly accesses those systems using specialized devices like iPads and Android tablets -- simply doesn't have any IT infrastructure to secure anymore.

To be sure, I think we're a long way off from this future being a secure one, but it's the one the industry is headed toward. Yes, vendors at the RSA conference are only selling to the largest organizations. And, as I wrote back in 2008, soon they will only be selling to IT outsourcing companies (the term "cloud provider" hadn't been invented yet):

For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.

[...]

The RSA Conference won't die, of course. Security is too important for that. There will still be new technologies, new products and new startups. But it will become inward-facing, slowly turning into an industry conference. It'll be security companies selling to the companies who sell to corporate and home users -- and will no longer be a 17,000-person user conference.

(Via Schneier on Security)

Privacy Story of the Week (PSotW) - January 27

Happy International Data Privacy Day

What with a busy weekend, and data privacy day today, I'm a little delayed in identifying and posting last week's privacy story of the week, which is:

Canada’s privacy watchdog wants answers over NETFILE web-service change

Canada’s privacy watchdog would like some answers from the government’s tax collector after it eliminated the need for a web-access code to file personal-income tax returns online.

I choose this for the privacy story of the week partially because when I got the mail from the Canada Revenue Agency, my first thought was to file a Freedom of Information Request for any copies of a Threat/Risk Assessment or Privacy Impact Assessment relating to the change. On the face of it it appears to be a reduction in the security of the NETFILE system. Before this change, each participant would receive a code through the mail. In essence this created a type of two factor authentication system. Going forward, people who want to NETFILE only need to provide their Social Insurance Number and their date of birth.

The CRA spokesman said in the coverage of this story that since the NETFILE system does not allow users to change their address or direct deposit information no confidential information is ever revealed. Those kind of changes required the "My Account" service which does require a separate security code..

What seems to me to be the most disturbing piece about this is that the CRA proceeded with planning and announcing this change without engaging the Privacy Commissioner's office. In organizations to whom I provide advice I usually recommend that their needs to be a privacy impact policy that sets out when a privacy impact assessment (PIA) or a threat & risk assessment (TRA) should be carried out. While the goals of the two assessments are not the same, the triggers for that assessments should be similar: If there is a change proposed to a system that collects, uses, discloses, retains, or disposes of personally identifiable information, then the organization should assess the proposed change or new system to ensure a continuity of privacy (PIA) or security (TRA) protection.

According to iPolitics, the CRA says these changes will be safe, making filing returns easier and improve service. It seems only fair to point out in passing that this change is also likely to save the government money. While it's good to save money, this shouldn't be at the expense of citizens or their data. The determination about whether citizen data is at risk is the purpose of doing a PIA or a TRA. Let us all hope that this has all been done, and that the controversy has arisen simply as a result of the bad communications strategy on the part of the CRA.

  Other privacy stories of note

Not just for modern warfare: RCMP to expand use of drone mini-helicopters

Unmanned surveillance drones with live-streaming video and thermal-imaging technology. What could possibly go wrong? Other than maybe a whole new You Tube channel...

WhatsApp violated Canadian law, says privacy commissioner

The Canadian and Dutch privacy commissioners jointly investigate a California based mobile chat app.

Privacy visor blocks facial recognition software

Wraparound plastic glasses designed to foil surveillance cameras.

Report finds B.C. Government’s $182 million Integrated Case Management system plagued with “fundamental deficiencies”

"The B.C. Ministry of Child and Family Development has issued an interim report by a consultant hired to review the problem-plagued Integrated Case Management System, and the results are damning." 

Prof offers $100 to any Canadian who can find a ‘privacy-compliant’ surveillance camera

"After two years of offering the $100 reward to his students for educational purposes, he’s now opening it up to the entire country."

ICT and human rights: A roundup of 2012 and challenges for 2013

"Freedom of expression and privacy, two rights intertwined with the information and communication technology (ICT) sector, were very much in the spotlight in 2012. Balancing the two is not easy, and companies in the sector continue to face many difficult choices."

Fitbit To Give Employers Your Fitness Report?

According to this piece,

According to a recent report, Fitbit is working with an insurance company to "determine whether individuals who use the mobile devices visit their physicians less than those who do not use the devices." Fitbit's Chief Revenue Officer claims, that if Fitbit can make a direct connection to reduction in medical care costs, then the floodgates would be open."

See the text of the CCLA piece below. There is a simple solution to McGill's problem. If the information that is being requested by the students is information that is accessible through a Freedom of Information request, then wouldn't be much simpler to make all such data openly available to the public? If the data that should be accessible were already accessible, and searchable, not only would FOI requests go down, but the availability of such information would build trust that the institution is being run in a manner consistent with its public mandate.

Freedom of Information and Privacy are together the two sides of a scale that reduces the imbalance in power between institutions and citizens. On the one hand, citizens in a democracy must have the ability to move about in their private lives and make their choices untrammelled by the chilling effect of pervasive surveillance. AT THE SAME TIME, those in power must be curtailed in their ability to operate in secret, to enable interested citizens to know how their money is being spent and what plans are being made. 

  McGill seeks right to turn down future information requests

McGill University has asked Quebec’s access to information commission to give it the right to turn down future requests from students who have repeatedly requested information.

University spokesperson Julie Fortier told the CBC that requests filed by 14 students abuse the system and would disrupt operations at the school. The requests in question include large demands, which Fortier calls “excessive”:

“She said the requests in question include demands for ‘all floor plans or maps of all buildings, tunnels and spaces maintained or operated by McGill, including emergency exits like fire escapes’ as well as ‘invoices for the filling of the fridge in the office shared by the staffs of the provost and the principal from 2002 to 2012.’” – CBC News

The motion submitted to the commission alleges the requests are “a retaliation measure against McGill in the aftermath of the 2011-2012 student protests”. Christopher Bangs, one of the respondents named in the motion and founder of the website McGilliLeaked which has published documents obtained in past access requests, says there was no coordinated effort.

The university wants to turn down the current requests. However, the university has also asked for the right to turn down future requests from any McGill student, any student journalist at the McGill Daily or Concordia University’s The Link, and anyone linked to the website McGilliLeaked if they have certain characteristics. These include requests that are “overly broad”, “frivolous”, “target trivial information” or that are “associated to one or more categories of documents and information published on McGilliLeaked”.

Privacy Story of the Week (PWotW) - January 20

The end of genetic privacy?

Our genetic information is irreducibly and uniquely tied to who we are. Is it a surprise that as genetic analysis becomes both cheap and publicly available, we can be identified this way?

An article in Science magazine showed how researchers could use data donated by individuals to identify those individuals. A BBC article presents a nice summary of how this was done. The short version is this:

Individuals donated genetic material 'anonymously' to the 1000 Genomes project to help find the the most genetic variants that have frequencies of at least 1% of the population (the consent form for the donation provided assurances about privacy, but no guarantees - as one would expect)

The researchers accessed the donated data, and correlated it with open access genealogy databases, to back identify individuals  that had donated their genetic material.

50 individuals were identified

The issues here are fraught, and while researchers who say that there is enormous potential in these data are correct, they fail to note that there is enormous potential for health research and also enormous potential for fraud, identity theft, and invasion of privacy. This is particularly the case in the U.S. where medical fraud is a multi-billion dollar enterprise, or where people regularly self-medicate rather than risk loss of medical insurance or employment through revealing private medical information.

Research consistently shows that people want their medical information protected at the highest level. Treating it as research data to be shared widely without protections with other researchers fails to meet that expectation. According to one survey, "43.2 percent of Canadian patients stated they have withheld or would withhold information from their care provider based on privacy concerns." When I train people on medical privacy I use the example of a patient expressing concern about their hospital gown that leaves their backside exposed and the nurse replying, "Don't worry, I've seen it all before". People usually laugh at the joke but it reveals how some medical staff regularly trivialize patients' concerns about privacy. This removes agency from a patient when they are feeling there most vulnerable and adds stress that they don't need.

Trust by patients is at risk because of this. As more and more medical privacy breaches come to light, patients are likely to reveal less and less to their physicians and will be less likely to give consent to research. Unless and until the medical community, especially the research community, starts to actively listen and be open with patients about data AND starts to teach itself how to apply security to health IT systems more consistently, trust will continue to erode.

Other privacy stories of note

B.C. Health Ministry alerting thousands about privacy breach of personal data

Sad to say there is another government privacy breach, where the breach happened months ago and only now is there action.

On Facebook, users can no longer hide from search results

Facebook introduces "Graph Search".  The New York Times calls it a Privacy Test, saying that Facebook's greatest triumph has been to persuade a seventh of the world's population to share there their personal information online. While this is an overstatement, as many people manager their online personas even if they don't manage their privacy settings, it's not over the top either. You only have to look at what Gizmodo found to reinforce the two basics rules to understand and use social networking sites:

SInce you are getting the service for free, you are not the customer - your personal information is the product. Remember this when using 'free' on-line service.

Post nothing on a social network unless you are comfortable with the same thing posted on a billboard outside your parent's home or your workplace. 

Surveillance Strategy Is ‘Privileged and Confidential,’ FBI Says

It is clearly the case that most police have a NIMBY attitude towards protecting privacy. "Privacy should be protected, but we are the good guys and you can trust us." seems to sum it up. Another way to look at it is that some police regard everyone as suspects first and citizens second. 

We Must Choose Privacy Or Medical Breakthroughs: Statisticians ID Anonymous Study Participants

Many people would agree that scientists need free and open access to data, and to the results of their studies in order to facilitate research. I suspect that most people would also expect that scientists would also accept their responsibilities to ensure the confidentiality of the data that they have, and this is where the false dichotomy of this kind of analysis breaks down. There could be both research and privacy/security if medical researchers consistently applied basic IT security to their systems and their practices. The frequency of medical breaches suggest that medical IT practices don't live up to this expectation.

TSA removing 'virtual strip search' body scanners

"Backscatter" machines being removed after failing to meet congressional deadline to install privacy software on the machines. It's important to note here that both these and the millimeter wave machines that do have the privacy software installed collect the data for a much more detailed image than the one displayed, which means that this is more of a privacy by remediation than a privacy by design solution.

Sheriff's Office wants to fly drones over Orange County skies

Once a military technology is built, the building company will always look for new markets. This dovetails nicely with the current climate of fear about <insert random threat of the week> and enables police to surveil everywhere.

ANTI-SURVEILLANCE STATE ACTIVISTS BEGIN ‘GAME’ TO DESTROY CCTV CAMERAS IN GERMANY

Before you rush to judgement on this one, imagine if these were 'democracy activists' in the old East Germany. Wouldn't the destruction of surveillance cameras be considered a defence of civil liberties? 

Privacy Story of the Week (PSotW) - January 13

No need for papers, we have your license plate 

Cheap data storage, better surveillance equipment, and the false belief that knowing more instead of knowing better makes us safer leads police to a place where they end up acting like the secret police in a cheap thriller. 

There were a number of stories this week about automated license plate recognition systems (ALPR) being tested or used in a number of cities, including Ottawa and Vancouver where the privacy commissioner ordered the police to change the way that they used the cameras. While known by many names or acronyms, these systems combine character recognition technology with (usually) infrared cameras to record the license plate number of ever vehicle that they 'see'. The systems were originally designed for fixed use, such as in a camera over an intersection (like a red-light or speeding camera).

In Ottawa the system is used to cross-check the plate number to search for outstanding warrants, stolen vehicles and driving infractions. In Vancouver, where the system was used for similar purposes, the issue for the privacy commissioner was the 'non-hit' data (about 98% of the data collected), that is to say the information about all the drivers whose license plate, time and location was recorded who did not have a stolen vehicle, an outstanding warrant, or a driving infraction. It turns out that this data was being turned over to the RCMP so that they could compile a list of innocent drivers in case an alibi ever needs to be checked. This reeks of the 'If you've got nothing to hide, why does this bother you?" argument that is often used by surveillance advocates. Of course this misses the point of entirely. As Daniel Solove has pointed out, the prior question is, "What gives you the right?".  It is worth remembering here the 2004 case of the Edmonton Sun reporter Kerry Diotte who was critical of photo radar systems in Edmonton and was consequently targeted by some police officers, in part by using the system itself.

The head of the Ottawa Police Board seems to understand the gravity of the nature of the potential rights infringement here, and has asserted that these readers will be subject to a full public discussion about privacy safeguards. For example, the Ontario Provincial Police, working with the Ontario Privacy Commissioner's office have engineered to delete 'non-hit' data within 20 minutes of collection. This seems in stark contrast to the Victoria police who have, according to an op-ed in the Victoria Times-Colonist, refused to comply with the BC Privacy Commissioner's order and to continue to collect, store, and forward information to the RCMP. It's not clear from the story what the original scope of the BC Commissioner's order was. If it was for a specific police force, and not directed to the Victoria force, then they are necessarily defying a Commissioner's order. Nonetheless it is clearly the case that the Victoria Police Board (who voted on this in-camera) have placed the convenience of their investigation above the privacy rights of the citizens they are supposed to protect. This is the attitude of a force that sees the citizenry as objects of suspicion and that need to be controlled. This is not the attitude of a police force in a modern democracy. 

Finally, in related news, even if you do manage to maintain some semblance of anonymity by not having your license plate tracked, your car has a black box that is collecting information about you and your driving habits. 

  Other privacy stories of note

Privacy breach at HRSDC (again)

This time it was an unencrypted external hard drive, containing the information about 583,000 Canada Student Loan borrowers. Just what they needed on top of paying off the debts - the possibility that their data could be used for identity theft to put them farther in debt. You can see the Globe and Mail story here.

Canadian Government Unveils Big Loopholes in Anti-Spam Regulations

Intensive lobbying by business groups have watered down the effectiveness of the proposed regulations, so that we can expect continued intrusions upon our privacy. You should consider reading this in conjunction with the CBC story,Offshore telemarketers defy Canada's do-not-call list

When Privacy and Enhanced User Experience Collide Online

Disney World's new plan to track visitors with wireless bracelets….coming soon to a theatre near you?

Obama OKs Netflix-to-Facebook Sharing as E-Mail Privacy Reform Falters

Do you really want the default on your Netflix or other streaming video to be to share?

U.S. Spy Law Authorizes Mass Surveillance of European Citizens: Report

Is anyone surprised that the U.S. self-declared policeman to the world, arrogates to itself the right to infringe on non-U.S. citizens data sovereignty?

How Generation Y really feels about online privacy

A group of consumer panelists shared their candid thoughts on online privacy during a tell-all panel discussion on Generation Y and digital media at CES.

Report on the European Commission's data protections (this link opens the pdf of the report)

See the commentary about this on the Privacy and Information Law Blog. Of note in the context of this week is the contradiction between the report author's expectation of scope extending to non EU-based controllers and the above mentioned "U.S. Spy Law". More privacy conflicts ahead for the EU and the US. The tech industry, especially those that depend on user data and profiled advertising will not be pleased, according to a Wired UK piece.

Checking the Numbers Behind BC CareCard Fraud

A nice analysis, with more to come, on the proposed hi-tech provincial identity card for services.

Privacy Story of the Week (PSotW) - January 6

Delayed breach reporting and a hesitant response by the Privacy Commissioner - at first. 

At the beginning of this week it was reported that the personal information on thousands of Canadians had, 'gone missing'. The facts of the case to date seem to be that an employe of Human Resources and Skills Development Canada (HRSDC) reported a lost memory stick. The memory stick was unencrypted, in violation of the HRSDC's policies, and contained sensitive information about 5,000 or so Canadians. The information lost is reported to include names, social insurance numbers, and disability/health information about the affected individuals. The HRSDC has, or is in the process, of notifying the affected individuals and continues to search for the lost memory stick.

This file appears to have been badly handled on a number of levels. The first and most obvious is how did the information end up on an unencrypted memory stick in the first place? We have to ask what purpose was being served? If the employee in question had a laptop from HRSDC, why did they need the stick, and if they didn't have a laptop were they planning to use the information on their home computer? I can't count how may bad practices that entails. 

Parenthetically I'll note that in a separate news piece this past week, employee training can reduce insider breaches by 58% and that monitoring computers combined with meaningful sanctions of employees can reduce this by another 40%. It will be interesting to see what the OPC report will have to say, if it is made public, about both the level of employee privacy training and what are the consequences for employees who violate departmental privacy and security rules.

If we set aside the original problem, we are still left with a couple of puzzling questions about both the HRSDC and the OPC. On the HRSDC side more than a month passed between the reported loss and when the loss was reported to the OPC. Further, although it's not entirely clear in the reports I've read, it also appears that a similar time frame elapsed before the HRSDC started notifying the affected individuals. This is, not to put too fine a point on it, inexcusably lax. If the memory stick is actually lost or sitting at a dry cleaner's somewhere - no actual harm, other than the stress of knowing that this information has been lost, is likely to come to the individuals affected. If, on the other hand, the memory stick has landed in the hands of a person or persons with the skills and the inclination to use if the identity theft or fraud, then the faster the individuals know about this the better - in order to take the steps necessary to protect themselves. If the timeline is as reported and the HRSDC did delay a month before contacting individuals, then it sadly looks like managers at that department were more concerned about the department's reputation and their careers than they were concerned with the individuals whose information they were charged with safeguarding.

On the OPC side I'm puzzled by the initial response by the OPC. The commissioner has been suggesting in more than a few forums that the ombudsman role that her office fulfills seems to be increasingly inadequate to the environment that everyone's personal information inhabits. In that light, this seems to have been a case where the OPC would be well within its mandate to self-initiate an investigation without waiting for a complaint or complaints. In the news that announced that the OPC will investigate this issue, it was also stated that the OPC had taken close to 200 calls from people expressing concern about the breach. Surely if the OPC wants to move out of the ombudsman role it will need to be more proactive in the future.

The following is a time line of what has been reported to date: 

On November 16th an unencrypted memory stick with personally identifiable information was reported missing by an employee at Human Resources and Skills Development Canada (HRSDC)

On December 21st, HRSDC notified the Office of the Privacy Commissioner of Canada (OPC) that the data had been lost

On January 4th, the OPC confirmed, after what appeared to be some waffling in the media that it will be investigating the matter

  Other privacy stories of note

Store video cameras failing to comply with privacy laws 

Not a single store in Toronto's Eaton Centre had proper signage about cameras

Watch Out! New Video Law Lets Netflix Share What You're Viewing 

It passed the House, the Senate, and just before the new year, the President signed it into law. In a significant shift in video privacy - online video rental companies can now share information about the movies you rent or buy. As you might expect, things are about to get more social.

The long arm of Connecticut law supports personal jurisdiction over Canadian employee accessing company’s U.S. server

A Canadian employee of a U.S. firm allegedly forwarded confidential information from her corporate email to her personal email. The Connecticut courts held, on appeal, that because the server was located in Connecticut, the employer could sue and that the defendant would have to defend herself.

Docs lack access to psychiatric records

Medical centers that elect to keep psychiatric files private and separate from the rest of a person's medical record may be doing their patients a disservice, a Johns Hopkins study concludes.

When the cops subpoena your Facebook information, here's what Facebook sends the cops

The January/February Issue of the Journal of the American Medical Informatics Association has a dedicated Focus On Patient Privacy

TidBITS: Examining Apple’s Security Efforts in 2012: ""

(Via.)

Privacy poachers take big hit: "The Ontario Court of Appeal’s creation of a potentially sweeping new tort for invasion of privacy will generate litigation and other revenue opportunities for a broad cross section of the Bar, lawyers predict."

It remains to be seen whether this will actually translate into active class action suits. However, given the frequency of data breaches related to apparently bone-headed practices, if this does become material for a class action, the privacy world just got a lot more interesting.

In the meantime, of course, since it is unclear whether or not class actions will be certified, privacy officers have an opportunity to present this decision to senior management and argue for budget increases. Even more importantly this might create more attention for privacy issues inside organizations that traditionally dismissed any worries about privacy.

Interesting sfuff….

According to a press release from Minister Toews Office, "The Government of Canada is proud to promote an open, resilient and trusted cyberspace." This is, of course, not borne out by the evidence.

This government is the least open Canadian government, at least in living memory. When was the last time you saw Prime Minister Harper in a scrum - risking facing the press in unscripted or uncontrolled environment? This government reflexively denies or delays Freedom of Information requests. Ministers and senior bureaucrats must route all communications through the Prime Minister's Office. With a reduced, and possibly cowed, CBC and an increasingly fact-free mainstream media, 'open' is a quaint notion from a bygone century

Similary, the 'Lawful Access' legislation that has been promised to be re-introduced this spring will reduce the resiliency of Canadian information infrastructure and will do it because of the deep distrust of citizens that the Harper government has. This legislation will dramatically increase the amount of information about citizens that the police have ready access to without judicial or civilian oversight. It ramps up the surveillance capabilities of the state, in other words. Needles to say, or rather what must be said, is that increased surveillance by the state of its population is the hallmark of authoritarian regimes, not democracy.

It used to be that Freedom of Information meant that citizens had a right to know that the powerful were doing behind closed doors, and Privacy meant that citizens were free to express their opinions and live their lives with some assurances of anonymity from the state. In other words Freedom of Information and Privacy served to address the imbalance of power between the state and the citizen.

In Harper's world, these concepts have been reversed. The Harper government needs privacy to conduct it's business away from the prying eyes of the public, who can't be trusted with the kind of information that the government has to deal with. Similarly, as citizens we are all suspect, and the state must have the freedom to have access to whatever information it deems necessary about us to ensure that we are harmless.

If we are not careful, Data Privacy Day, may become a day of remembrance instead of a day of celebration.

The iEconomy: Apple’s iPad and the Human Costs for Workers in China:

A staggering manufacturing system in China has made it possible for Apple and other companies to make devices almost as quickly as they can be dreamed up, but for workers, it can be dangerous.

(Via NYT > Technology)

Infographic: Canada's CEO Elite 100:

  CBC Radio’s weekly series, Type A released a comprehensive infographic based on the Canadian Centre for Policy Alternatives' recent report, Canada’s CEO Elite 100: The 0.01%. 

Click the image on the right to view infographic in full.

  For more information, read the original report here and be sure to visit The Clash for the Cash: CEO vs. Average Joe to find out how much the CEOs have earned so far.

  (Via CCPA)

A fire station in the Beach area of Toronto.

Further to my prior comment about measuring the wrong economy...

Job Vacancies vs. Unemployment:

  Progressive economists have advocated expansionary fiscal and monetary policies to boost demand and create jobs, given the high rate of unemployment. By contrast, employers and conservative commentators complain of unfilled vacancies and labour shortages, emphasizing policies to increase labour supply and labour mobility.

Today’s new Statistics Canada survey of job vacancies sheds fresh light on this debate. The finding that “there were 3.3 unemployed people in Canada for every job vacancy” confirms that the main problem is a lack of jobs, not alleged disincentives to work or barriers to labour mobility. In other words, policymakers should focus on the demand side rather than on the supply side.

In Alberta and Saskatchewan, provinces supposedly plagued by labour shortages, there were three unemployed workers for every two vacancies. Even in mining, oil and gas – the sector with by far the highest rate of job vacancy – unemployment exceeded vacancies. These figures debunk the view that the solution is simply to prod workers to move west.

  (Via The Progressive Economics Forum)

Is it just me or would it make more sense to govern the economy so that the reporting measure of performance is something instead of GDP or some stock market index? I'm thinking total employment and median wage for the bottom three quartiles might work. If more people are working and making more money, then the economy is running fine. If they are not, it hardly matters if the GDP and stock market are up.