Self driving cars – privacy points to ponder

Cars collect a significant amount of information about our driving. That data will increase dramatically as we move to autonomous vehicles – and with more data comes more ways to use it.

This information can be used now to find fault in an accident or convict us of driving offences. Some insurance companies offer discounts if we share that data with them and they decide we are a safe driver.

Cars increasingly rely on electronic systems for safety features, and self driving cars are coming. They will increasingly collect and store data about not just the car itself but also its surroundings, and will share that with other cars around it.

What might our morning commute look like in a few years?

A driverless car pulls up to your door. You are ready to go because the car sent you a text when it was 2 minutes away. When you get in the car greets you by name, and tells you traffic is light today. As it pulls out it, it asks if you would like to try a new coffee on promo at Starbucks instead of your usual Tim’s stop. You say yes, and it takes you through the Starbucks drive through. Your coffee is ready because the car has already ordered it and told Starbucks when you will arrive. And the car paid for it.

The car tells you your Amazon package should arrive at the pickup point today, and asks if you want to stop there on the way home.

You pass near a restaurant you have gone to before, and the car tells you about an upcoming special. The car makes a reservation for Friday at your request. As you near your office it shows you your schedule for today, and asks if you want to be picked up a few minutes later because of a late meeting.

So what’s going on here?

You may have programed in things like stopping at Tims on the way to work. Or it may have learned your habit after a couple of commutes. Starbucks may have paid for the special to be mentioned. It may have learned about the restaurant and your Amazon order by reading your emails and schedule.

That all sounds very convenient, but the price of convenience is surveillance. And with surveillance comes the ability for others to use that information for good and for evil.

It has been estimated that a self driving car might generate a gigabyte of data per second. It will be tempting to use that data for all sorts of things.

One vehicle data startup CEO says that by 2020, automakers will be able to make more money selling vehicle data than the cars themselves.

It is not far-fetched to imagine a scenario where a self-driving taxi ride could be immensely cheap or even free, because the revenue from advertising and data generated from the ride might be more valuable than the taxi fare.

For example, car cameras and sensors could spot available parking spaces, know how much traffic there is, how many pedestrians are on a block, and how many cars are in line at a drivethrough.

Who owns this information? Who has the right to use it? Car manufacturers will no doubt claim they do. Keep in mind that in the US secondary use of personal information is more acceptable than it is in Canada or Europe.

The privacy implications are enormous. It’s one thing to know that there are two empty parking spaces on a block. Its totally another to know that my car is parked there, or what stops I make on my commute.

Current privacy laws may not be adequate to deal with these issues. And it challenges the notion of meaningful consent.

As interesting as the idea of self driving cars is, we need to be sure that the price is not too high in terms of privacy and surveillance.

Anyone interested in a deeper dive (drive?) on this subject should look at the BC Freedom of Information and Privacy Association study titled The Connected Car: Who is in the Driver’s Seat?

Cross-posted to Slaw

CASL class actions are looming

The private right of action for sending spam in violation of CASL comes into force on July 1.  Many companies are dreading it – some class action lawyers can’t wait.  The right thing for the government to do would be to completely scrap CASL – the statute is that bad and ill-conceived.  But wishful thinking won’t make it go away.

At the moment, CASL violators are subject to enforcement proceedings by the CRTC. But after July 1, those who have been spammed in violation of CASL can sue the sender.  Here are some things to keep in mind about the private right of action.

  • Individuals can sue a CASL violator – but class actions are most likely.
  • CASL does not say if the right applies only to violations that occur after July 1.  That would be the most obvious interpretation, but expect plaintiffs to say it is retroactive.
  • In addition to the CASL anti-spam formalities, the right of action applies to the anti-harvesting provisions CASL added to PIPEDA, and the email false advertising provisions CASL added to the Competition Act.
  • Damages include actual damages plus statutory damages calculated in a couple of ways – $200 per violation or up to a million dollars per day.  It could get expensive.
  • Directors and officers are at risk to be sued.
  • Depending on timing, a notice of violation from the CRTC or entering into an undertaking with the CRTC may stay a court action.  The reverse also applies – a court can prevent an undertaking or notice of violation.  Potential defendants may have some influence over picking their poison.
  • Due diligence defences are available to mitigate the damage amount.

Cross-posted to Slaw

Lessons from the United passenger “re-accommodation”

The recent United Airlines incident where a passenger was dragged off the plane because United wanted the seat for a United employee is a good reminder of some social media realities.

The obvious lesson is to not bloody your passengers and drag them off your plane.  Or that just because you have the right to do something, doesn’t mean it’s the right thing to do.

But sometimes bad stuff happens.  And often someone is there to record and publish it for the world to see.

When that happens, the social media / public relations lesson is to not react in a way that makes it worse.  Don’t, for example, issue a statement talking about passenger “re-accommodation” that doesn’t suggest any kind of apology or sympathy.  Don’t try to deflect responsibility by talking in terms such as an “involuntary de-boarding situation” – or by focussing blame on the passenger.  And don’t justify it based on your policies or legal rights.  The court of public opinion doesn’t care much about that.

It wasn’t until the third attempt at a response from the CEO that the tone was one of apology and accepting responsibility.

In this case, outrage about the incident was followed by equal outrage about United’s reaction.  It resulted in a social media firestorm and some rather amusing barbs and parodies.

United’s stock lost over a billion dollars at one point yesterday.

The bottom line is if your firm is being lambasted on social media – don’t be tone deaf and defensive about it.  Take a few minutes to look at it from the public’s perspective before you respond.

Cross-posted to Slaw

Did Transport Canada just ground the Canadian hobbyist Drone market?

Transport Canada just put in force an order regarding the recreational use of model aircraft, enforceable by a $3,000 fine. Details are in the graphic below and on the Transport Canada Web site.

Operation of a drone over 35 kg, or for commercial use, has not changed, and still requires a Special Flight Operations Certificate.

Restrictions on flying near airports and aircraft are understandable.

But you can’t operate a model aircraft “at a lateral distance of less than 250 feet (75m) from buildings, structures, vehicles, vessels, animals and the public including spectators, bystanders or any person not associated with the operation of the aircraft”.

If we think about that, it leaves almost nowhere to fly.   You can’t fly it with a friend within 250 feet – unless somehow the friend is “associated with the operation of the aircraft”.   And what is meant by not operating within 250 feet of animals?  If you are in a remote area away from buildings and vehicles, there is likely to be some kind of animal nearby.

Given how restrictive these rules are, not many people will want to own one, and those who already own one may have trouble finding a place to fly it.

The Drone Manufacturers Alliance “believes new drone regulations announced today by Transport Canada will provide only a negligible increase in safety while sharply curtailing the ability of Canadians to explore, photograph their country, and teach their children about science and technology.”

They also said  “The Drone Manufacturers Alliance expects all our members’ customers to fly safely and responsibly, and our years of experience show that technology and education provide a better solution than a hastily-written ban.

Aviation authorities around the world have never recorded a single confirmed collision between a civilian drone and a traditional aircraft. Indeed, many initial drone sightings reported by aircraft pilots have turned out to be birds, balloons or even a plastic bag.”

The only realistic drone to purchase now in Canada are those that weigh 250 grams (0.55 pounds) or less, which are exempt from the rules.  Drones that small may not be as capable as larger ones, but they do exist.

Cross posted to Slaw

Researchers play along with “Tech Support” scam calls

Have you ever been tempted to play along with scammers that phone just to see where it goes and to give them some grief?  Researchers at the State University of New York at Stony Brook did that and more.

They sought out scammers who claim to be from Microsoft or some sort of official tech support, and followed it through to see what happened.  They set up virtual machines that looked like normal PC’s to the scammers who remote on, and let the scam play out.

This Wired article has more detail, including the paper that the researchers wrote, and recordings of the conversations.  It is worth a read if you are curious about how they do it.

Basically the scammer tells the victim that their computer is infected with viruses and spyware.  Then for about $300, offers to clean it up.

Only about 2% of the people they talk to fall for the scam – but the revenue generated is in the tens of millions of dollars.

The US FTC has already used information provided by the researchers to get a $10 million penalty against a Florida based call centre.  About 10% of the call centres are in the US – 85% are in India.

Cross-posted to Slaw

Privacy Commissioner posts new case summaries

Privacy breaches and complaints can often be resolved cooperatively.  We usually hear about the large, dramatic, far reaching breaches more so than the smaller ones that get resolved.

The privacy commissioner just released some examples.

In one example, a malfeasant social engineered some information from customer service representatives that enabled the malfeasant to contact customers and try to obtain more information that could be used for fraud.  The business investigated, contacted the individuals who may have been compromised, and took steps to reduce the chances of it happening again.

In another situation, a rogue employee took customer information which was used to impersonate the company to collect money from a customer.  The business was not very responsive to the customer complaint until the privacy commissioner got involved.   In the end the employee was dismised, the customer made whole, and steps were taken to reduce the chances of it happening again.

From a business perspective, it shows the need to take privacy complaints seriously, and deal with them quickly and effectively.

From a consumer perspective, it shows the need to be cautious when you are asked for your information – especially when someone contacts you.  And be patient when your service providers take steps to make sure you are who you say you are.

Cross-posted to Slaw.

Trump administration to roll back net neutrality

In 2015 the US FCC took steps to prevent ISPs from discriminating against internet traffic.  This is called Net Neutrality, which Wikipedia describes as “…the principle that Internet service providers and governments regulating the Internet should treat all data on the Internet the same, not discriminating or charging differentially by user, content, website, platform, application, type of attached equipment, or mode of communication.”

The gist of the concept is that the owner of the pipes shouldn’t be able to favour the delivery of its own content over content provided by others.

At the risk of oversimplifying this, net neutrality is generally favoured by consumers and content providers, but not so much by ISPs.

In what is seen as a backwards steps for US consumers, the new chair of the FCC has made it clear that he is not a fan of the principle.

For more detail, read this New York Times article titled Trump’s F.C.C. Pick Quickly Targets Net Neutrality Rules and this CNET article titled Meet the man who’ll dismantle net neutrality ‘with a smile’

Cross-posted to Slaw

Trump’s executive order on foreigners strips privacy protection for Canadians

Included in Trump’s reprehensible executive order “Enhancing Public Safety in the Interior of the United States” was this:

Sec. 14.  Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

The Privacy Act covers personal information held by US Federal agencies.  This would apply, for example, to information collected about Canadians entering the United States.

This should be attracting the wrath of the Canadian privacy commissioner and the Canadian government.

More detail is in this post by Michael Geist and this post on Open Media.

Given this attitude, we should be redoubling efforts to make sure our communications are encrypted.

Conventional wisdom has been that our data is just as safe in the US as Canada given that both countries have limits on privacy when it comes to law enforcement and government ability to dip into our information.  But this cavalier attitude puts that into question, and it may be prudent for Canadian entities to keep their data in Canada to the extent possible.  Where that isn’t practical, attempts should be taken (and assurances obtained from vendors) to encrypt that the data in a way that the provider doesn’t have access to it.

Cross posted to Slaw

The end of cloud computing

That’s the title of a 25 minute video that is worth watching if you have an interest in where computing is going.

Don’t panic if you have just decided to do more of you business computing in the cloud.  That isn’t going away any time soon.

It means that we will see more edge or fog computing.  Some of the computation that now happens in the cloud will increasingly happen at the edge of the network.  That might be in IOT devices, our phones, cars, or Alexa type devices.  Think of it as a return to distributed computing.  Peer to peer networks will become more common as well.  Such as cars that talk directly to each other to allow them to drive safer near each other.

In part this is because devices are becoming more capable.  For example, artificial intelligence now must use the cloud to figure out some queries.  Think of Siri or Alexa that sends your queries to the cloud.  Hardware and software advances will make it possible to do more of this at the end point – such as directly on your phone.  (That might have a side benefit of helping on the privacy front.)

Edge computing is in part being driven by necessity.  The sheer number of devices generating data, and the volumes of data they will generate, will be overwhelming.  For some applications, the cloud is simply not fast enough or reliable enough.  It is one thing if it takes a couple of seconds to get your answer back on the weather forecast.  But a self-driving car needs to react instantly to stop when someone steps off a curb in front of it.

The cloud will be where learning occurs, and where much of the data resides, but data curation and decision making will be done at the edge.

Cross-posted to Slaw