Cloud computing: It’s all Good – or Mostly Good

A ZDNet article entitled Cloud computing: Four reasons why companies are choosing public over private or hybrid clouds makes a case for the value of the public cloud.

The reasons:

  • Innovation comes as standard with the public cloud
  • Flexibility provides a business advantage
  • External providers are the experts in secure provision
  • CIOs can direct more attention to business change

This is all good – or mostly good.

The caveat is that the use of the cloud can fail if a business adopts the cloud without thinking it through from the perspectives of mission criticality, security, privacy, and continuity.  If a business runs mission critical systems in the cloud, and that system fails, the business could be out of business.

The IT Manager no longer has to consider day to day issues around keeping software and security up to date.  But they still have to consider higher level issues.

It is important to understand what the needs are for the situation at hand.  A system that is not mission critical, or does not contain sensitive information, for example, would not require as much scrutiny as a system that runs an e-commerce site.

Issues to consider include:

  • how mission critical the system is
  • what the consequences are of a short term and long term outage
  • how confidential or personal the information is in the system
  • can the information be encrypted in transit and at rest
  • how robust the vendor’s continuity plan is
  • the need for the business to have its own continuity plan – such as a local copy of the data
  • how robust the vendor’s security is
  • does the vendor have third party security validation to accepted standards
  • does the vendor’s agreement have provisions that back these issues up with contractual terms and service levels with meaningful remedies

Cross-posted to Slaw

Internet of Things Security Standard Proposal

The Internet of Things (IoT) is surrounded by a lot of hype.  There is great promise to be able to do and know all sorts of things when all our stuff can communicate.  That could be almost anything, including thermostats, cars, garage door openers, baby monitors, appliances, fitness trackers, and the list goes on.  Cheap sensors and easy connectivity means that it is becoming trivial to measure everything and connect almost anything.

But with great promise comes great risk.  Our things will generate information about us – both direct and inferred.  There are security issues if these devices can be controlled by third parties or used as back doors to gain entry to other systems.  It may not be a big deal if someone finds out the temperature of your house – but it is a big deal if they can go through your thermostat and get into your home network.

These privacy and security issues must be dealt with up front and built into the devices and ecosystem.

The Online Trust Alliance (members include ADT, AVG Technologies, Microsoft, Symantec, TRUSTe, Verisign) just released a draft IoT Trust Framework to address this issue.  The draft is open for comments until September 14.

Cross-posted to Slaw

ITU proposes more government control over the internet

Todays’ Slaw post

The International Telecommunications Union (ITU), the telecommunications arm of the United Nations, is hosting a World Conference on International Telecommunications starting Dec 3. The agenda includes gaining a role for the ITU on Internet governance. This is in part fueled by repressive government regimes wanting more control over the internet and its users. It has drawn huge opposition from human rights and free speech advocates. Also from companies such as Google. Vint Cerf – now with Google but considered the father of the internet – has come out very strongly against it.

This is a very bad idea. One of the reasons that the internet has worked so well is that it has been designed and operated without government interference.

Two activist groups that played a key role in the debate over the Stop Online Piracy Act, Fight for the Future and Access Now, have created a website warning about the move and containing links to further reading and resources.


IPv6 now officially launched

My latest Slaw post.

June 6, 2012 was chosen by the Internet Society as the world IPv6 launch day. Major ISPs, web companies and home networking equipment manufacturers have now turned IPv6 on permanently.

IPv6 is a new internet addressing scheme that will replace IPv4, the current scheme. The main issue was that IPv4 only allows 4.2 billion addresses, which is not enough to meet world demand – especially given the number of smartphones, computers, servers, and the future of the internet of things. IPv6 allows for 340 undecillion addresses (3 followed by 38 zeros).

More information can be found in this cnet article, and this eWeek article.

The average user won’t notice a difference. Most current operating systems and web browsers support IPv6. Anyone buying any new networking equipment should make sure it is IPv6 capable. And if you are still holding on to that Windows XP machine that won’t be IPv6 capable, don’t panic just yet – IPv4 won’t be turned off for a while.

image credit: Internet Society

Stop SOPA – PIPA protest

That’s the title of my Slaw post for today.  It reads as follows.

Here are some of the sites that are going dark today, or changing their home pages in protest over the proposed US legislation. For more information on why this legislation is so bad, check out these sites, or search for “SOPA” on Slaw or, or just Google it.


Boing Boing



This is Google’s US site. Google’s Canadian homepage does not seem to be affected.

Michael Geist


Child porn reporting law applies to anyone providing internet access

The Canadian Federal law An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service came into force on Dec 8.  (Even though the regulations under the act won’t be published until next week.)

The Act requires those providing an “Internet Service” to report to either the police, or to depending on the circumstances, any child pornography they become aware of on the net, or if anyone is using their service to commit child pornography offences under the Criminal Code. 

They don’t have to look for it, but if they become aware of it, and don’t report it, it is an offense subject to significant fines.

It is noteworthy that the law applies to more than just what we would consider ISP’s.  It applies to anyone “providing Internet access, Internet content hosting or electronic mail” to the public.

So that would include anyone providing open wi-fi to the public, such as a coffee shop or municipality.  If you provide any kind of public access to the internet, you need to understand your obligations under this law.


Why Sopa & Protect-ip are bad ideas

There is proposed legislation in the US that would give broad rights to block entire web sites based on mere allegations that a small part of it might have some infringing content.   The legislation is backed by the entertainment industry as an anti-piracy measure.  There is a groundswell of opposition against the legislation, but it is still very possible that it could become law.

Mike Masnick of Techdirt has a great article explaining in detail what the problem is.



Terms of use binding to website users

For the London Free Press – October 24, 2011 – Read this on Canoe

Are Browse-wrap agreements binding?

Most web sites contain a link at the bottom of the page to “terms of use”. But are they binding on those who use the website? A recent Canadian case says they are.

Despite the prevalence of terms of use linked to the bottom of web pages, Canadian courts have not spent much time discussing whether they are binding the same way that “click-wrap” agreements are.

The Ontario Superior Court decision in Century 21 Canada Limited Partnership versus Rogers Communications Inc. shed some light on this issue. The case discussed the evolution of agreements as software sales have shifted from boxed software purchases to online.

“Shrink wrap” agreements are contracts that are entered into by the purchaser when they tear open the shrink wrap of a software purchase. Implicit in the opening of the packaging is the idea that the user is agreeing to be bound by the terms of use.

“Click wrap” agreements are when users are required to indicate their agreement by clicking on an “I Agree” box. Implicit in the “click” is the idea that the user is agreeing to be bound by the terms of use.

A “browse wrap” agreement does not require the user to click an “I Agree” box, instead the mere use of the website on which it appears may lead to a finding that the user is bound by the terms of use.

Click wrap agreements are binding in Canada pursuant to case law and legislation. The difficulty in “browse wrap” agreements is that the user may not realize a website contains terms of use, and even if the user is aware of the terms of use, the user may not agree to be bound.

But being bound by agreements one has not read is not a new concept. There are a series of ticket cases where fine print on the back of a ticket or document were held to be binding, provided that it is brought to the person’s attention. It doesn’t matter if the person actually read it, provided they could have easily read it if they wanted to.

Zoocasa, a subsidiary of Rogers Communications Inc., was “scraping” online real estate listings from Century 21’s website and reposting them on its own site with additional information. Zoocasa admits it had knowledge of Century 21’s terms of use, which included a term prohibiting scraping. The court found Zoocasa’s access and use of the website following actual notice of the terms of use constituted acceptance of the terms of use. Part of the court’s decision turned on the fact that Zoocasa is a sophisticated business entity and is therefore familiar with the concept of terms of use within a website.

The court did not have to determine if Zoocasa had clear notice of the terms of use because this fact was admitted.

Given that it is common practice for websites to have links to terms of use at the bottom of its pages, it would be logical to assume that would be sufficient to constitute notice.

Smartphone revolution – ignore at your peril

That we are in the midst of a huge change in the way we communicate in our work and personal lives is no revelation.  But I think many of us don’t realize how rapidly this change is happening, and the many ways it will affect us.

It is a combination of things like mobile access, handheld computing power, inexpensive apps, cloud computing, location awareness, and social media.

Consider this: mobile devices are outselling PC’s, and digital media is equal to television in importance amongst ad executives. 

The explosion of smartphones and tablets enables us to get information about almost anything immediately wherever we are.  And to provide information to others just as quickly.  Tools like Google Goggles and Siri can do that by simply taking a picture of something, or speaking into our phones. (And really, the “phone” part of our phones is dwindling in importance to the rest of their features.)

All businesses and organizations should be thinking about how this is now affecting  them, and how it will affect them in the future – both in how it will challenge their current business models, and how they can use it to their advantage. 

And don’t forget to think about who your competitors will be.  For example, who is going to own the mobile payment space?  It might be the banks and credit card companies – but it could be telcos or Google.

It also raises interesting legal issues – like who owns the movie rights to a crowdsourced story, and how do privacy rights tie in with location aware services?

The one certain thing is that we ignore this revolution at our peril.

New registering program – Door opened to allow almost anything

For the London Free Press – August 8, 2011 – Read this on Canoe

The Internet Corporation for Assigned Names and Numbers (ICANN) recently approved a new program for registering generic top-level domain names (gTLDs). The door has opened to allow for almost anything.

The current most commonly recognized TLD is .com, followed by .org.

By 2013, Internet users can expect to see an influx of new internet domain extensions, such as .bank, or ones using major brand names.

The new program will open up the Internet domain market for businesses, organizations and individuals who wish to distinguish themselves or their products in the virtual world by having a personalized domain extension. ICANN anticipates many of the new domain extensions will be registered by cities and other geographic locations, by corporations and by special interest groups.

Those who wish to register a gTLD must submit an application to ICANN and pay a $185,000 application fee. ICANN will begin accepting applications between Jan. 12, 2012 and April 12, 2012. After the application deadline, ICANN will review each application and assess whether the proposed domain extension will be appropriate.

ICANN has introduced a list of conditions and qualifications that must be met by gTLD applicants to ensure they have sufficient financial, technical and operational capabilities to administrate and maintain their gTLD. For example, applicants are first required to undergo background screening of their general business diligence and criminal history to validate the legitimacy of their application and prevent cyber-fraud.

If an applicant passes the background screening, it will be subject to several assessments and evaluations to determine whether their proposed gTLD is feasible. This includes a review to determine whether it will create user confusion or too closely resembles another gTLD. There is a process to determine which applicant will prevail if there are multiple applicants for the same gTLD.

Administrating a gTLD involves a huge commitment and the responsibility to ensure security, ease of access and uninterrupted use. Unlike registering a website domain, such as,a gTLD can accommodate thousands of different websites with the same domain extension.

ICANN’s decision to expand the gTLD registry presents some potential challenges and concerns that must be addressed. For example, gTLDs are border-less but the entities that own the rights to administer a gTLD are confined to the country in which they reside.

A Canadian entity might, for example, acquire the right to administer the domain extension . bank and restrict its use to legitimate banks. However, other countries with different laws about what constitutes a bank may also wish to use the . bank domain extension. Such a situation may give rise to conflicts and liabilities if not adequately prepared for in advance.

The expansion of the gTLD will certainly make the Internet a more interesting place to explore as businesses and individuals seek to distinguish themselves and their products or services online. More information about the ICAN gTLD application process is in its Applicant Guidebook on its website at