Privacy by Design is Crucial to avoid IoT Disasters

network-782707_1280

If anyone doubts that Privacy by Design is not a fundamentally important principle, consider these two recent articles.

This Wired article describes a hack being detailed at the upcoming Defcon conference that can easily read and type keystrokes from wireless keyboards that are not Bluetooth.  So you might want to consider replacing any non-Bluetooth wireless keyboards you have.

Security expert Bruce Schneier wrote this article entitled The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters that explains the IoT risks. The fundamental problem is that not enough attention is being paid to security for IoT devices.  This leaves a door open to situations where a hacker can, for example, easily get in to your thermostat and then use that as a connection point to your network.  Cory Doctorow of Boing Boing refers to this as a coming IoT security dumpster-fire.

Bruce describes it this way:

The Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well. As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never. A recent Princeton survey found 500,000 insecure devices on the internet. That number is about to explode.

 

Cross-posted to Slaw

Rio Olympics Social Media guidelines

It seems that dubbing major sporting events the “largest social media event ever” is even trendier than the social networking platforms themselves, and Rio 2016 is no exception. All hype aside, the Rio Olympics haven’t reinvented the wheel, and seem to impose similar restrictions as their predecessors.

The IOC describes appropriate uses and prohibitions in their Social and Digital Media Guidelines. All accredited individuals (athletes, coaches, and officials) who are not accredited as media are allowed to “share their experience at the Games through internet or any other type of social and digital media, provided that it is done in a first-person, diary-type format”. Individuals posting must “conform to the Olympic values of excellence, respect and friendship” and “should be within the bounds of dignity and good taste”.

Those restrictions are similar to many corporate social media policies. But it gets more restrictive and allows accredited persons to share only “still” images to social and digital media taken within the Olympic venues. Audio or video taken in Olympic venues can’t be shared on social media without IOC consent. There are also “no picture areas”.

Restrictions exist for spectators pursuant to the Ticket Holder Policy (there are 19 pages of conditions attached to a spectator ticket) which says in part:

12.6.3 Ticket Holders may capture, record and/or transmit still images and/or data taken within venues including by sharing such still images and/or data on social media and the internet provided such capture, recording or transmission is made solely for personal, private, non-commercial and nonpromotional purposes.

12.6.4 Ticket Holders may capture, record and/or transmit audio or video taken from venues, solely for personal, private, non-commercial and non-promotional purposes, with the exclusion of licensing, broadcasting and/or publishing any such video and/or sound recordings including on social media and the internet.

Frankly, I don’t know what that last one means – it seems to give permission and take it away at the same time.

Many of the restrictions are well intentioned – for reasons such as athlete security and privacy. Much of it will be to satisfy mainstream media and sponsors that pay huge amounts of money for exclusive rights. But some of it seems unrealistic. It will be interesting to see how aggressively they will be enforced.

I wonder what the IOC will think about athletes and spectators playing Pokemon Go at Olympic venues?

Cross-posted to Slaw.

Raspberry Pi workshop at UnLondon makerspace

Makerspaces (sometimes called hackerspaces) are community workspaces – generally in the tech and digital arena.  Entrepreneurs might use them as workspaces and to collaborate with colleagues.  Hobbyists might use their tools to make something.  They often put on workshops – typically around tech and equipment – such as 3D printers.  They perform a valuable service to foster learning, creativity, and entrepreneurship.

I learned how to use a Raspberry Pi yesterday at a workshop at UnLondon.  (Harrison Pensa is a sponsor of UnLondon, and of their recent Explode conference.)  The first project was to wire and code (in Python) an app to create a blinking LED.  Crude, yes, but a good, quick introduction.

For those not familiar with the Raspberry Pi, its a tiny, inexpensive computer that is almost as powerful as a desktop.  Google Raspberry Pi to see hundreds of things people have made with them – including robotics controllers, TV set-top boxes, arcade games, networking equipment, and home automation.

I’m going to make something with mine for my office – perhaps an information display of some kind – but I’m open to suggestions.

Raspberry-Pi-1-600x283

Cross-posted to Slaw.

 

Three Business IP Scams to Watch For

It’s summer vacation season, and worth a reminder about some common business IP scams to watch out for.  Staff covering for vacations and unfamiliar with these may be more vulnerable to them.  While there are lots of scams out there, these three are the ones I get asked about most by clients.

The trademark registration scam.  Scammers monitor the trademark application process, and send an invoice to the trademark applicant that looks like it is part of the trademark application process.  If you read it very carefully it says it isn’t an invoice, and it is a pitch for a service, but its easy to mistake it for a legitimate invoice and pay it.  Most of these originate offshore, so good luck trying to get your money back.

The directory scam.  You get an invoice for the registration of your business in an important sounding directory.  Again, if you read it carefully it says it isn’t an invoice.  If you pay it, you may actually get listed in the directory – but the directory is useless.  And again, most of these originate offshore, so good luck trying to get your money back.

The domain name scam.  You get an email from an offshore domain name registrar saying that someone else has asked them to register your name as a domain name.  Their goal is to get you to pay them to register your name instead.  Of course it’s all a ruse.  If you do think it might be a good idea to get that domain registration for yourself, go through your normal registrar, not this one.

Cross-posted to Slaw

Emerging tech – potentially awesome and a privacy quagmire

I attended an event last night where Duncan Stewart of Deloitte talked about their TMT predictions for 2016.

It reinforced for me that the future of tech and what it will do for us is potentially awesome.  But also at the same time the amount of information that is being collected and stored about each of us is staggering.  That creates real privacy challenges, and real possibilities for abuse.  And because the information is there, there is a tendency for government and business alike to want to use it.

One scary aspect is that the more we get used to more information being collected about us, the more complacent we get.  Our personal freaky line – the line at which we stop using services because we are concerned about privacy issues – moves a little farther away.  That is in spite of the fact that the more information there is about us, the more ripe for abuse it is, and the more that we temper or alter our behaviour because we know we are being watched.

Think for a moment about all the information that is increasingly being collected about us.

  • Smartphones that know our every move and the most intimate and personal aspects of our lives.
  • Intelligent cars that know where we go and how we drive.
  • The internet of things where the stuff we own collects information about us.
  • Wearable tech that collects information about our fitness, and increasingly our health.
  • The trend for information and services to be performed in the cloud rather than locally, and stored in various motherships.
  • Big data that functions by saving as much information as possible.
  • Artificial intelligence and cognitive learning tools that can turn data into useful information and make inferences based on seemingly unconnected information.
  • Blockchain technology that has the potential to record surprising things about us.

On top of all this, it is becoming increasingly harder to understand when our info is staying on our device, when it goes somewhere else, how long it stays there, who has access to it, when it is encrypted, and who has access to the encryption keys.

It is in this context, and the fact that we just don’t have the time to spend to understand and make all the privacy choices that we need to make, that the Privacy Commissioner of Canada last week released a discussion paper titled Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act

The introduction states in part:

PIPEDA is based on a technologically neutral framework of ten principles, including consent, that were conceived to be flexible enough to work in a variety of environments. However, there is concern that technology and business models have changed so significantly since PIPEDA was drafted as to affect personal information protections and to call into question the feasibility of obtaining meaningful consent.

Indeed, during the Office of the Privacy Commissioner’s (OPC’s) Privacy Priority Setting discussions in 2015, some stakeholders questioned the continued viability of the consent model in an ecosystem of vast, complex information flows and ubiquitous computing. PIPEDA predates technologies such as smart phones and cloud computing, as well as business models predicated on unlimited access to personal information and automated processes. Stakeholders echoed a larger global debate about the role of consent in privacy protection regimes that has gained momentum as advances in big data analytics and the increasing prominence of data collection through the Internet of Things start to pervade our everyday activities.

Cross-posted to Slaw

Enemy of the State – still topical

I recently watched the 1998 movie Enemy of the State .  It is a spy thriller about a lawyer being smeared by politicians because they believe he has information that can implicate them in criminal matters – the murder of a politician who was opposing a privacy bill that is really a bill empowering mass surveillance.  They use sophisticated, unsavoury, unethical, and illegal methods to watch him, discredit him, and retrieve the evidence.  No one is watching the watchers, who are out of control.

While like any disaster movie the plot is a bit over the top, it was fascinating to watch the movie again from a 2016 lens.  I challenge anyone to watch it and still say “I have nothing to hide” to dismiss privacy and surveillance concerns.

In a related sentiment, a recent study confirms that the knowledge that we may be watched puts a chilling effect on what we do.  This Techdirt article is a good summary of that study.

220px-Enemy_of_the_State

Cross posted to Slaw.

Panama Papers – Points to Ponder

The Panama papers revelations are worth pondering on many levels. (This Wired article is a good summary.)

My first reaction to the high level tax evasion and corruption allegations was to blanch at the thought that someone had basically given the entire contents of a law firm’s document management system to a third party.

As a lawyer, the fact that law firm files were leaked causes me to wince. After all, solicitor-client privilege is a fundamental tenet of democratic society. Law firms take the security of their files very seriously, and getting access to this information would not be an easy task.

This has parallels to the Snowden leaks. I’ve said before that Snowden should be congratulated, not prosecuted.

But this is not the same.

Snowden leaked information about one government entity. This is a leak with personal, sensitive, and confidential information about thousands of individuals and corporations. Some of the activities exposed by the press are no doubt illegal or unethical, some may raise a debate over were the line should be between tax avoidance and tax evasion, and issues around tax havens in general.

But that does not justify this kind of breach to the press.

Unfortunately this has set a smell test where anyone who has an offshore company, or any business such as a law firm that is involved in their creation, gets unfairly tarred with suspicion.

According to press reports the journalists won’t release the actual documents to respect the privacy of the innocent. That’s good – but that shouldn’t be a decision that a journalist should have to, or should get to make.

Apple fought the FBI to keep phones secure.  In that case the end the FBI was seeking did not justify the means. That is largely because it puts the information of everyone using an iPhone at risk. So how is this leak that exposes legal files of thousands of people any different? It seems that one minute we are applauding security and privacy – and yet we now seem to be applauding a massive breach of security and privacy.

It is too easy to dismiss this as a risk that is peculiar to law firms in tax havens that are perceived to facilitate unsavoury activities. Has this perhaps put a bigger target on law firms for both inside and outside hackers?

An IT security firm told me this morning that they have been contacted by a number of law firms that are wondering what shape their security measures are in in light of the Panama Papers.

Perhaps law firms everywhere should take another look at their security measures to reduce the chances this could happen to them.

Cross-posted to Slaw

E-mail – more secure than a postcard

The Apple – FBI tempest got me thinking about email security.  (Even though that fight was over device security, not email platform and transmission security.)

Email security has improved over the past couple of years, no doubt in part due to the Snowden – NSA revelations.  Many providers of hardware, software, internet infrastructure, and online services have taken steps to implement encryption in general, and to plug the gaps in the chain where encryption was missing.  Some, for example, had gaps as they passed email to other mail providers unencrypted, even if they encrypted it while they had it.  Encryption while in transmission is the baseline everyone should be working towards.

Anyone with their own mail server can enable TLS (transport layer security) to encrypt email that travels to other servers that use TLS. That encrypts server to server. (If your company has its own email server – ask about it.)  Some clients require their law firms to use TLS.

Webmail applications should in addition to using TLS, use https (take a look if you use one) to encrypt communication between your own desktop and their web server.  Our IT manager tells me that not all webmail applications use TLS.

While email doesn’t always have total end-user to end-user encryption, it’s a lot better than it used to be, and certainly a lot more seamless to set up and use than email encryption used to be.  It used to be said that email was no more secure than a postcard.  That’s no longer true.

Cross-posted to Slaw

 

 

Has Apple lost its mojo, or is something else going on here?

Apple had an event this week where they announced new products.  But it lacked the excitement and wow factor that we have come to expect.  Has Apple lost its mojo, or is something else going on here?

New product announcements from Apple and Google seem less impressive than they used to be.  They seem more evolutionary than revolutionary.

There could be a number of reasons for that.

Product innovation is happening at a faster pace than ever before.  Are we getting so used to that pace that we have higher expectations for innovation than before?

Is the smartphone / tablet field so mature that it is less likely to be the subject of any new revolutionary “wow” or “just one more thing” developments?

Has the prospect for revolutionary development moved from the relatively mature smartphone / tablet field to things like virtual reality, 3D printing, artificial intelligence, drones, self-driving cars, wearables, and the internet of things?   (See Gartner’s latest Hype Cycle for Emerging Technologies.)

Many of those are in early days, and we have not yet grasped how they will impact us.  Some, such as AI, are behind the scenes, so while we have the benefit of it, its not something we can hold in our hand. And some are not as personal or multifunctional as a phone or tablet, and may never be something everyone will have.

To put that in perspective, almost everyone has a smartphone or tablet.  But it wasn’t that many years ago that a phone was considered a household or office device that you just made phone calls on – not a personal device that is basically a internet connected computer that performs a myriad of tasks.

We forget that while the ipad, for example, was revolutionary when it came out, there had been several attempts to create tablets earlier.  They failed because they missed the mark on features and useability – in part because the tech had to catch up with the concept.  Like the entertainer who is perceived as an overnight success, but has spent years as a starving artist.

Cross-posted to Slaw

When corporate policies can backfire

Businesses and organizations rely on internal and external policies and procedures to document the way they do certain things. But if not written carefully, they can actually add risk.

Many of these are compliance based. In other words, they set out how in practice the business will deal with various legal obligations. Depending on the nature and size of the business, they could deal with things like privacy, anti-spam, workplace safety, money laundering, and the list goes on.

Having these policies can help reduce legal risk, and help ensure that employees do the right thing.

Sometimes businesses create policies and procedures that impose obligations on themselves more onerous than needed to comply with the law. There are a number of reasons for doing that. Perhaps the business feels a moral obligation to do better on the environment, for example. Or perhaps there is a strong corporate culture around customer service that goes far beyond consumer protection laws.

But perhaps the business does not really understand the laws in the area and the actual obligations they impose.

No matter what the reason, the risk is that by creating a more onerous policy / procedure than necessary, the business can increase its legal obligations. Sort of like writing its own more onerous laws.

That increased obligation may become the standard or promise to which the business is judged by customers, by regulators, and by courts.

That’s fine if it is a conscious decision, but not if it is an unintended consequence of misunderstanding the laws they must comply with.

Cross-posted to Slaw