E-mail – more secure than a postcard

The Apple – FBI tempest got me thinking about email security.  (Even though that fight was over device security, not email platform and transmission security.)

Email security has improved over the past couple of years, no doubt in part due to the Snowden – NSA revelations.  Many providers of hardware, software, internet infrastructure, and online services have taken steps to implement encryption in general, and to plug the gaps in the chain where encryption was missing.  Some, for example, had gaps as they passed email to other mail providers unencrypted, even if they encrypted it while they had it.  Encryption while in transmission is the baseline everyone should be working towards.

Anyone with their own mail server can enable TLS (transport layer security) to encrypt email that travels to other servers that use TLS. That encrypts server to server. (If your company has its own email server – ask about it.)  Some clients require their law firms to use TLS.

Webmail applications should in addition to using TLS, use https (take a look if you use one) to encrypt communication between your own desktop and their web server.  Our IT manager tells me that not all webmail applications use TLS.

While email doesn’t always have total end-user to end-user encryption, it’s a lot better than it used to be, and certainly a lot more seamless to set up and use than email encryption used to be.  It used to be said that email was no more secure than a postcard.  That’s no longer true.

Cross-posted to Slaw

 

 

Has Apple lost its mojo, or is something else going on here?

Apple had an event this week where they announced new products.  But it lacked the excitement and wow factor that we have come to expect.  Has Apple lost its mojo, or is something else going on here?

New product announcements from Apple and Google seem less impressive than they used to be.  They seem more evolutionary than revolutionary.

There could be a number of reasons for that.

Product innovation is happening at a faster pace than ever before.  Are we getting so used to that pace that we have higher expectations for innovation than before?

Is the smartphone / tablet field so mature that it is less likely to be the subject of any new revolutionary “wow” or “just one more thing” developments?

Has the prospect for revolutionary development moved from the relatively mature smartphone / tablet field to things like virtual reality, 3D printing, artificial intelligence, drones, self-driving cars, wearables, and the internet of things?   (See Gartner’s latest Hype Cycle for Emerging Technologies.)

Many of those are in early days, and we have not yet grasped how they will impact us.  Some, such as AI, are behind the scenes, so while we have the benefit of it, its not something we can hold in our hand. And some are not as personal or multifunctional as a phone or tablet, and may never be something everyone will have.

To put that in perspective, almost everyone has a smartphone or tablet.  But it wasn’t that many years ago that a phone was considered a household or office device that you just made phone calls on – not a personal device that is basically a internet connected computer that performs a myriad of tasks.

We forget that while the ipad, for example, was revolutionary when it came out, there had been several attempts to create tablets earlier.  They failed because they missed the mark on features and useability – in part because the tech had to catch up with the concept.  Like the entertainer who is perceived as an overnight success, but has spent years as a starving artist.

Cross-posted to Slaw

When corporate policies can backfire

Businesses and organizations rely on internal and external policies and procedures to document the way they do certain things. But if not written carefully, they can actually add risk.

Many of these are compliance based. In other words, they set out how in practice the business will deal with various legal obligations. Depending on the nature and size of the business, they could deal with things like privacy, anti-spam, workplace safety, money laundering, and the list goes on.

Having these policies can help reduce legal risk, and help ensure that employees do the right thing.

Sometimes businesses create policies and procedures that impose obligations on themselves more onerous than needed to comply with the law. There are a number of reasons for doing that. Perhaps the business feels a moral obligation to do better on the environment, for example. Or perhaps there is a strong corporate culture around customer service that goes far beyond consumer protection laws.

But perhaps the business does not really understand the laws in the area and the actual obligations they impose.

No matter what the reason, the risk is that by creating a more onerous policy / procedure than necessary, the business can increase its legal obligations. Sort of like writing its own more onerous laws.

That increased obligation may become the standard or promise to which the business is judged by customers, by regulators, and by courts.

That’s fine if it is a conscious decision, but not if it is an unintended consequence of misunderstanding the laws they must comply with.

Cross-posted to Slaw

Apple fights court imposed FBI backdoor order

Apple CEO Tim Cook has taken a very public stand against an FBI request and court order to create a backdoor into the Apple operating system.  This arose from the investigation into the San Bernardino mass shooting last December.

See this article on ZDNet for more details.  And Read Tim Cook’s customer letter posted on the Apple website for a more complete explanation of Apple’s position.

Kudos to Tim Cook and Apple for this.

Security and privacy experts continue to point out that backdoors are a bad idea that cause far more harm than good.

See, for example, this ZDNet article from yesterday about a new report saying “European cybersecurity agency ENISA has come down firmly against backdoors and encryption restrictions, arguing they only help criminals and terrorists while harming industry and society.”

Cross-posted to Slaw

Invasion of Privacy tort continues to develop

In Ontario, conventional wisdom was that invasion of privacy was not something you could sue for.  But that is changing, as evidenced by a just released decision of the Ontario Superior Court of Justice called Jane Doe 464533. That decision awarded damages and costs totaling $141,000, plus an order for the defendant to destroy any video or images he may still have, never to share any intimate images of the plaintiff, and to not communicate with the plaintiff or her family. A pdf version of the decision is here: Doe – redacted

Until this decision, the first case of a successful tort action for invasion of privacy was Jones and Tsige.  The tort in that case was called intrusion upon seclusion, and basically applies only to nosy neighbour cases.  In other words, where an individual accesses personal information on someone for nothing more than curiosity.  The damages for that are capped to such an extent that in practice it probably isn’t worth taking it to court.

Some privacy class actions have been started since then, which would require an expansion of current law to succeed, but none have reached trial.

In the Jane Doe case the defendant was a former boyfriend of the plaintiff who convinced her to take an intimate video of herself, promising that he would not show it to anyone. But of course he posted it online. That lead to severe emotional distress for the plaintiff.

While the decision is ground breaking, there is a caveat to it.  The defendant did not file a statement of defence, and this decision was based on a motion for default judgment.  So while the decision is well reasoned, there was no contrary position presented. This issue will eventually make it to an appeal court in another case to settle the law.

This decision will no doubt be analysed and cited by anyone attempting to sue for a privacy breach, or seeking a remedy for cyberbullying or revenge porn.

Cross-posted to Slaw

Update to Internet Explorer 11 now for security

Microsoft has just ended support for Internet Explorer versions 10 and earlier.  That means Microsoft will no longer provide security patches, which makes them risky to use from a security perspective.

Anyone still using those versions should update to IE 11 immediately.  Those using Windows 10 can use the Edge browser instead.  Edge works well, but unfortunately does not yet support add ons like password managers.  Another option is of course to use Chrome.

If there is a need to use an earlier version of IE because of legacy internet applications that are not up to current standards, IE 11 includes an “enterprise mode” that will run those.

And if you are still using Windows 8 or an earlier operating system, it’s time to upgrade to at least 8.1.  Security support is still available, but not full support. Windows 10 is the best option.  For most, that upgrade is free.  If you are still using Windows XP – yes, some still are – its way past the time to upgrade – its not even getting security support anymore, and is a potential security risk.

Cross posted to Slaw

CES 2016

The annual Consumer Electronics Show is now underway in Las Vegas – where tech companies show off their latest and greatest.  Popular themes this year include drones, internet of things, and cars.   And of course TVs.  LG is showing OLED 4K TVs that are impossibly thin – 2.57 mm, yes, mm thin.  While they are expensive, and there isn’t much 4K content yet, that is expected to change much faster than HD came to market.

It is easy to scoff at some of the individual items that show up at CES, and certainly some of them will never gain any traction, but the better focus is on trends and where we are headed.  ZDNet, for example, sees IOT and wearable becoming useful, and AR and VR getting a purpose beyond gaming.

If you are interested in following CES, there is lots of coverage in the tech press – such as CNET  and The Verge.

oled-tv-inline-807x1024Exterior_3_0

 

 

 

 

 

Cross posted to Slaw

A supercomputer on your wrist

smartwatchcray-2-computer-system

 

Sometimes we get so wrapped up in the specs and quirks of our current technology that we forget how far we have come.

To put it in perspective, consider a smartwatch.  There are many ways to measure computer performance – CPU speed, amount of ram, amount of storage memory, network speed, etc.  A common way to compare basic performance, though, is by FLOPS, or floating operations per second.

A smartwatch can do somewhere in the range of 3 to 9 gigaflops.  To put that in perspective, the Cray-2 supercomputer in 1985 could do about 1.9 gigaflops.  You could buy one then for about $17,000,000.  It used 200 kilowatts of power (that’s several times the power a typical home electrical system provides), occupied 16 square feet of floor space (if you ignore its separate cooling system) and weighed 5500 pounds.  (A pdf brochure with the details is here.) I’m sure no one then thought we would ever strap something like that on our wrists, let alone order one online and have it arrive a couple days later.

Makes one wonder what the next few decades will bring.

Cross-posted to Slaw

8 things to consider in an NDA

top legal issues for tech bus

Confidentiality for business information is rarely implied at law, so if a business is going to share sensitive information with someone, it needs to protect that by a non-disclosure agreement (NDA). NDAs (also called confidentiality agreements) can be either standalone or as part of a larger agreement.

NDAs are routine and are often considered standard agreements – but here are 8 things to think about.

  1. Should it be mutual to protect both parties’ information, or does it need to only protect one party?
  2. Does it need to protect just the discloser’s information, or is third party information involved?
  3. Does the confidential information include personal information as defined under privacy laws? If so, it may need some additional or different wording to comply with privacy obligations.
  4. NDAs have 2 basic elements – what the recipient can do with the information, and who the recipient can share the information with both inside and outside of the organization.
  5. Should the definition of confidential information describe what is confidential, or is it only confidential if it is marked confidential? Requiring marking makes it clear for the recipient, but the owner has to remember to do that, and it can be a nuisance to deal with oral or unwritten material.
  6. Does the information cease to be confidential after a fixed number of years, or does it last until the information gets in the public domain?
  7. If it is a standalone NDA that is a precursor to a substantive agreement, it needs to be addressed again in the substantive agreement – either by replacing it with new NDA language, or by explicitly confirming that the original NDA continues.
  8. Be on the lookout for other things buried within an NDA. They usually stick to NDA concepts, but occasionally contain unexpected provisions.

Encryption = good : Backdoor = bad

Every time there is a tragic attack on people or property, there is a cry from various authorities or politicians for law enforcement to get unfettered access to all kinds of communication tools.

But that would cause far more harm than good, and is a really bad idea.

The argument goes something like this:

These bad actors hide behind encrypted communications to plan their evil deeds.  Therefore to stop them law enforcement needs to have access to all this.  Therefore we need to have backdoors built into all encryption that law enforcement can use.

This is flawed in many ways.

There is no evidence that unfettered access to communications helps.  Sometimes the information was actually available, but no one managed to put it together ahead of time to stop the evil deed.

There is no way that backdoors can be limited to use by law enforcement.  They will inevitably be discovered by others and used for evil, thus rendering encryption and all the protection it provides useless.

Bad actors will stay a step ahead.  If mainstream communications and encryption tools have backdoors, they will just create their own secure communications channels.

But don’t just take my word for this.  Read, for example, this article by security expert Bruce Schneier entitled Why we Encrypt.

And this article by Cory Doctorow on how ridiculous British Prime Minister David Cameron’s comments on the need to backdoor encryption are entitled What David Cameron just proposed would endanger every Briton and destroy the IT industry.

And this article by Mike Masnick of Techdirt entitled The Paris Attacks Were An Intelligence Community Failure, Not An ‘Encryption’ Problem.

Cross posted to Slaw