I have long since reached my
frustration point. Increasingly I am seeing calm, rational security
& privacy bloggers starting to lose it with those who should be
responsible... This post is typical. If nothing else, a poor
response will raise your negative profile.
Ca:
Computers with personal info stolen from Waterloo Region District
School Board
I wasn’t even going to mention this
breach on this blog. I originally intended to just add it to
DataLossDB, but when I read it, I was somewhat put off by the school
board’s actions and statements so I decided to comment on it here.
Nine computers
stolen from the Waterloo Region District School Board’s education
centre in Kitchener on Dec. 1 contained personal information about
individuals.
So, should parents
and families be worried?
“If there are
risks associated with the content, we will contact families
directly,” said board chair Catherine Fife on Friday after the
first media release was issued on the month-old break-in and theft.
So more than one
month after the theft, the board still hasn’t determined if there
are risks and hasn’t contacted anybody directly?
Why not? Are they working round the clock on this or did they take
the holidays off or..?
“I think, as a
board, we are being responsible by sharing the information and
letting the public know that a breach has occurred.”
No details on what
type of personal information was contained on the laptops, used by
staff, were released by the Board on Friday.
The number of
people or families with information at risk was not released.
Families should be grateful that
the board disclosed that there had been a breach a month after the
fact and without any details? This is what the board considers being
responsible? Seriously?
More than one month after a breach,
the board should not only have notified employees or parents of
students who might have been affected but they should have made a
public disclosure that contains some actual… what’s that word I’m
looking for…. oh, right: details.
The board says the
computers conform to industry standards and highly specialized
knowledge would be needed to bypass security to get at the
information.
“They may not be
able to access that information,” Fife said. “It’s a layered
process.”
This has nothing to do with
computers conforming to industry standards. It has everything to do
with the school board having good security protocols in place and the
employees complying with them. Are we to infer that the files or the
drives weren’t actually encrypted?
[...]
Board staff are
working on a list of individuals whose information was on the stolen
computers.
Why isn’t that list compiled
already? Were there thousands of individuals or students whose names
needed to be compiled? Did the board have current backups of all of
the nine laptops’ drives?
I know that Canada has different breach
disclosure and breach notification requirements than U.S. states do,
but I would hope that the Privacy Commissioner of Ontario, Dr. Ann
Cavoukian, would open a sua sponte investigation into this
incident to determine if Waterloo Region District School Board had
adequate security and privacy protections in place and whether their
breach response is reasonable or not. If I were a parent of a
student in that district, I’d want to know why we hadn’t already
been informed of the breach and what data was on it from our family.
This was the school board’s second
disclosed breach in the past six months. The first, disclosed in
August, involved
two
microfilm tapes containing data on over 2,250 students that went
missing in the mail to them from a firm in Winnipeg. After that
breach, the board changed to using a courier service. It was never
disclosed when that loss actually occurred or what security was on
the microfilm tapes.
Maybe the Waterloo Region District
School Board has a reasonable explanation why notification has been
delayed in its most recent breach. Maybe they don’t. But so far,
their “disclosure” leaves this blogger with more questions than
answers.
“...because parents don't know how to
raise children.” Do you suppose the school would allow parents to
see all the data on their children?
MO:
Parkway’s use of fitness monitors raises privacy questions
Mary Shapiro:
When
is the line crossed between better health and surveillance?
In early 2012,
wristwatch-like devices called Polar active monitors will be used by
older students in PE classes at all 18 Parkway elementary schools.
District officials say the devices should help improve the students’
fitness and academic achievement.
Later this school
year, the district plans to collect data about activity levels and
even sleep patterns for a week at a time. It will have the students
wear the devices round the clock.
Some parents and
legal experts are raising privacy concerns about at least that aspect
of the program.
[From the article:
Cara Bauer, PTO president at Shenandoah
Valley and mother of a son in first grade and a daughter in fifth
grade, said she's heard about the monitors from her
daughter, Caroline. She said her daughter doesn't like
wearing one and calls them "the funny watch."
"I wish Parkway
would let parents know what's going on with the program,"
Bauer said.
… Neil Richards, a professor of law
with Washington University in St. Louis who teaches privacy and civil
liberties courses, said he feels the plan for the devices constitutes
"a major privacy issue."
"The school district eventually
will be engaging in surveillance of kids' sleep and exercise patterns
outside the school day," he said.
… And wearing them voluntarily
doesn't eliminate privacy concerns, Richards said.
"They'll create a record of
medical information about children around the clock," he said.
"Even if it serves laudable public health goals, it's a fairly
Orwellian step for a school district to engage in."
We have seen this coming for years.
Ever since accountants brought Apple II's with Visicalc into the
office. After extensive legal research and with years of
professional experience I can definitively state that the correct
answer is “Is pendeo...” or perhaps “Il dépend... ” – in
either case that translates to “it depends...”
"As companies increasingly
enable employees to bring their own devices into business
environments, significant
legal questions remain regarding the data consumed and created on
these employee-owned technologies. 'Strictly speaking, employees
have no privacy rights for what's transmitted on company equipment,
but employers don't necessarily have access rights to what's
transmitted on employees' own devices, such as smartphones, tablets,
and home PCs. Also unclear are the rights for information that moves
between personal and corporate devices, such as between one employee
who uses her own Android and an employee who uses the
corporate-issued iPhone. ... This confusion extends to trade secrets
and other confidential data, as well as to e-discovery. When
employees store company data on their personal devices, that could
invalidate the trade secrets, as they've left the employer's control.
Given that email clients such as Outlook and Apple Mail store local
copies (again, on smartphones, tablets, and home PCs) of server-based
email, theoretically many companies' trade secrets are no longer
secret.'"
Very interesting idea. Are you reading
this RIAA? (Is this a return to the communication methods we used
before Gutenberg locked us into text?)
An anonymous reader writes with this
snippet from The Conversation:
"According
to the Wall Street Journal, camera manufacturer Kodak is preparing
to file for Chapter 11 bankruptcy, following a long struggle to
maintain any sort of viable business. The announcement has prompted
some commentators to claim that Kodak's near-demise has been brought
on by: a failure to innovate, or a failure to anticipate the shift
from analogue to digital cameras, or a failure to compete with the
rise of cameras in mobile phones. Actually, none
of these claims are true. Where Kodak did
fail is in not understanding what people take photographs for,
and what they do with photos once they have taken them."
Continues the reader:
"Looking
at camera data from Flickr, of images uploaded in 2011, camera
phones only make up 3% of the total. Dedicated
cameras from Canon, Nikon and yes, Kodak were used to take 97% of the
images. What Kodak failed to understand is that people
have switched from taking photos for remembering and commemorative
reasons to using photos for identity and communication.
The shift changes the emphasis away from print to social media
platforms and dedicated apps."
Another example of the “not
invulnerable” Google?
Open
Source Maps Gain Ground as Google Paywall Looms
Nestoria is one of those companies that
was told it would have to start paying real money for Google Maps.
When Google couldn’t tell it exactly how much, Nestoria kicked
Mountain View to the curb and switched to OpenStreetMap, a free,
collaborative effort to map the globe.
But that’s only part of the story.
Nestoria’s “free and open” map data is actually served up by
MapQuest, the once and future mapping outfit that ruled the web
before Google Maps stole its thunder.
… OpenStreetMap, or OSM, is yet
another example of a project that manages to compete with a massive
tech company simply by
crowdsourcing
a problem. Much like Wikipedia challenged Encyclopedia
Britannica and Linux took on Microsoft Windows, OpenStreetMap is
battling Google Maps, and at least in some cases, it’s winning.
Your phone as guidebook?
January 08, 2012
DC.gov
- applications built by DC government
Apps include: DC Police Crime
Mapping, Where is my Bus?, DC Wi-Fi Hot Spot Map, AreYouSafe DC,
find a metro dc, DC Multimodal Crime Finder
Is this an example of “Book 2.0?”
Writing as a collaborative act?
January 07, 2012
Government
As a Platform
You are reading the text of an
O’Reilly book that has been published (Open Government). However,
the author of this piece—Tim O’Reilly—understands that the
ideas in this chapter are evolving and changing. We’re putting it
here to get feedback from you—what are your ideas? This chapter
uses the Open Feedback Publishing System (OFPS), an
O’Reilly experiment that tries to bridge the gap between
manuscripts and public blogs."
Perspective: Perhaps Internet TV isn't
ready for prime time? Or perhaps the couch is a more comfortable
place to watch zombie movies?
How
People Watch TV Online And Off
… Just in terms of audience reach,
Nielsen estimates that almost 145 million people watch video online
in the U.S., compared to about 290 million who watch traditional TV.
So the penetration of online video is already about half of the
overall TV-watching population.
Yet for all the video people watch on
the web, it is still a tiny fraction of how much they watch on TV in
terms of time spent. In a report put out yesterday on the
State
of the Media summarizing 2011 data, Nielsen estimates Americans
spend an average of 32 hours and 47 minutes a week watching
traditional TV. They only spend an average of 3 hours and 58 minutes
a week on the Internet, and only 27 minutes a week watching video
online. All those billions of videos watched online still only
represent 1.4 percent of the time spent watching traditional TV.