Friday, December 10, 2010

Sound risk management practices would include (at minimum) another layer that “assumes” loss/theft of “portable” devices is inevitable and requires encryption. (Is there any reason the data is on a portable device in the first place? Perhaps there is no Internet in Canada?)

Alberta’s Privacy Commissioner shocked over digital devices (updated)

December 9, 2010 by admin

A rash of theft and loss of digital devices has Alberta’s Information and Privacy Commissioner scratching his head.

In the past month, there have been seven self reported breaches of personal information, each involving a stolen or lost laptop or digital device.

Two of those are government computers and personal information is at risk.

Frank Work says he finds it incomprehensible that in this day and age organizations can’t figure out how to properly protect personal information.


Do we know about all seven of the incidents? Thanks, Bart, for sending this in!

Update: Bart kindly sent me a second link. The breaches are described in this companion story in the Calgary Herald and involve healthcare sector, business sector, and other breaches involving sensitive PII and/or PHI.

For my Ethical Hackers

Beating Censorship By Routing Around DNS

"Last month, the US gov't shut down a number of sites it claimed were infringing copyright. They did it by ordering VeriSign to change the sites' authoritative domain name servers. This revealed that DNS is subject to government interference — and now a number of projects have emerged to bypass DNS entirely."

(Related) As 'Advertisers' and governments increase surveillance, tools to reduce surveillance proliferate.

BitTorrent Client Offers P2P Without Central Tracking

"While BitTorrent is the most popular P2P protocol, it still relies on several centralized points for users to find the files they are looking. There have been several attempts at making BitTorrent more decentralized, and the latest Tribler 5.3 client is the first to offer the BitTorrent experience without requiring central trackers or search engines. Tribler offers some very interesting technologies; the latest version enables users to search and download files from inside the client. Plenty of other clients offer search features, including the ever-popular Torrent, but Tribler's results come from other peers rather than from a dedicated search engine. Users can search and download content without a server ever getting involved; everything is done among peers, without the need of a BitTorrent tracker or search indexer."

A case of “data isn't important, until it is.” This is the same government that wants all of our health records online to make them accessible.

AP Enterprise: FAA loses track of 119,000 aircraft

The Federal Aviation Administration is missing key information on who owns one-third of the 357,000 private and commercial aircraft in the U.S. — a gap the agency fears could be exploited by terrorists and drug traffickers.

The records are in such disarray that the FAA says it is worried that criminals could buy planes without the government's knowledge, or use the registration numbers of other aircraft to evade new computer systems designed to track suspicious flights. It has ordered all aircraft owners to re-register their planes in an effort to clean up its files. [“Because we haven't been able to handle the data as it dribbled in, we want to try handling a flood of data.” Bob]

… The amount of missing or invalid paperwork has been building for decades, the FAA says. Up to now, owners had to register their planes only once, at the time of purchase. The FAA sent out notices every three years asking owners to update their contact information if needed, but there was no punishment for not doing so.

… The problem became more acute [Translation: “more obvious” Bob] after the government launched a new computer system for tracking flights called the Automatic Detection and Processing Terminal, or ADAPT, the FAA says. The system combines dozens of databases, from a list of stolen aircraft to the names of diplomats. [Because the FAA registers Diplomats too? Bob] It flags suspicious flights in red on a map. [...and? Then it ignores them? Bob]

Should I assume the hospital will accept all risk related to the shots?

NC Judge: Hospital Employees Must Get Flu Shot

December 9, 2010 by Dissent

Can’t say that I’m surprised by this one. Here’s the outcome of a workplace case mentioned previously on this blog:

The fight over flu shots at Anderson Area Medical Center is over and an employee who filed suit to keep the hospital from firing her if she didn’t get a shot has a deadline.

The judge in the case found in favor of the hospital, and now Bertha Hunter has until December 15 to get the shot or face losing her job.

The hospital requires employees to either get a flu shot or lose their jobs.

Read more on WSPA.

Bad user, bad!

US Trials Off Track Over Juror Internet Misconduct

"The explosion of blogging, tweeting and other online diversions has reached into US jury boxes, in many cases raising serious questions about juror impartiality and the ability of judges to control their courtrooms. A study by Reuters Legal found that since 1999, at least 90 verdicts have been the subject of challenges because of alleged Internet-related juror misconduct — and that more than half of the cases occurred in the last two years. Courts were fighting back, with some judges now confiscating all phones and computers from jurors when they enter the courtroom."


AU: Attorneys-general to discuss legal gags on Facebook

December 9, 2010 by Dissent

Options to enforce legal gags on users of social networking websites like Facebook will be discussed today at a meeting of Australia’s attorneys-general.

One of the attorneys-general, John Rau, from South Australia, this morning said he would raise concerns about the effectiveness of suppression orders in the age of social networking.

“The publishing on a site such as Facebook of the name of an accused, whose identity is suppressed, could prejudice a fair trial and prevent justice being done,” he said.

Read more in The Age.

If there is no further consequence, won't they just keep on sending those extortion letters? After all, they only lost four cases – after “settling” hundreds!

UK Copyright Blackmailers Rebuked By Court

"The first eight ACS:Law cases have reached the courts, and have already fallen on their face. The law firm hit the headlines when it demanded money from tens of thousands of Britons for illegal file sharing, threatening legal action. It seems its bark was worse than its legal bite, as default judgments have been refused in six of the cases for such egregious errors as attempting to make a claim when one is not even the copyright holder. Two of the cases were found in default as the defendants had failed to respond, but not on the merits of ACS:Law's case."

I suppose this is humor, but like all humor it has a more than a grain of truth.

The first truly honest privacy policy

December 6, 2010 — It’s been a hell of a year for consumer privacy, or the lack thereof. From Facebook leaking personally identifiable information to advertisers, to data brokers harvesting reams of user information on social nets, to Google’s Wi-Fi slurping, 2010 may be remembered as the year the privacy chickens came home to roost -- and quickly got roasted.

Now Congress is debating new privacy laws and the FTC has weighed in with proposals for a No Tracking List to thwart nosy Web advertisers. The agency has also called for sites to create privacy policies a wee bit shorter and more accessible than, say, Facebook’s 5,830-word privacy opus. Not surprisingly, the online data industry immediately began trash talking the FTC’s ideas, calling for even more ‘self regulation’ and forming yet another industry consortium, the Open Data Partnership, to avoid a Federal smack down.

Apparently, the 10 years online data mongers have been given to come up with privacy protections that actually protect privacy hasn’t been enough. Just give them another 10 years and they promise they’ll get it right.

I’ve got a better solution. Instead of a welter of new laws or regulations, how about just one: The Honest Privacy Policy Act. The HPPA would require every company to post a simple, direct, and brutally honest policy detailing what really happens to your data.

To help this proposal along I’ve come up with one of my own – and it’s 5,085 words shorter than Facebook’s. Here’s what a real privacy policy might look like:

All new technologies “cloud” the law.

Do your cloud vendors disclaim security responsibility

Cloud computing contracts often contain significant business risks for end user organisations, according to independent research by UK academics. Some contracts even have clauses disclaiming responsibility for keeping the user's data secure or intact.

Others reserve the right to terminate accounts for apparent lack of use, which is potentially important if they are used for occasional backup or disaster recovery purposes, according to the Cloud Legal Project at Queen Mary, University of London.

Other contracts can be revoked for violation of the provider's Acceptable Use Policy, or indeed for any or no reason at all, the academics found.

The Cloud Legal Project surveyed 31 Cloud computing contracts from 27 different providers and found that many included clauses that could have a significant impact, often negative, on the rights and interests of customers. Only three of the contracts surveyed - Google Apps Premier, Iron Mountain and Salesforce CRM - state that changes to the T&C may only be in writing with the agreement of both parties.

For my Data Mining and Analytics students.

December 09, 2010

Strategic Use of Analytics in Government

Strategic Use of Analytics in Government: "Governments use analytics (often described as “business intelligence”) to enable and drive their strategies and performance in an ever more volatile and turbulent environment. Analytics and fact-based decision making can make a powerful contribution to the achievement of government missions, just as they are now making to the accomplishment of corporate business objectives. In their report, Professors Davenport and Jarvenpaa explore several important applications of analytics in government agencies and develop an assessment framework for those that either have not yet embarked on the analytics journey or are still in the early stages. The report focuses on four governmental mission and management areas — health care, logistics, revenue management, and intelligence — to which analytics has been applied. While the opportunities from analytics for improving efficiency and effectiveness in government appear limitless, there is much less clarity about the readiness of government to embrace analytics. [Why? Bob] While analytics is often depicted as a technological innovation, Davenport and Jarvenpaa are careful to point out that the use of analytics requires managerial innovation." [Because... Bob]

No comments: