When corporate policies can backfire

Businesses and organizations rely on internal and external policies and procedures to document the way they do certain things. But if not written carefully, they can actually add risk.

Many of these are compliance based. In other words, they set out how in practice the business will deal with various legal obligations. Depending on the nature and size of the business, they could deal with things like privacy, anti-spam, workplace safety, money laundering, and the list goes on.

Having these policies can help reduce legal risk, and help ensure that employees do the right thing.

Sometimes businesses create policies and procedures that impose obligations on themselves more onerous than needed to comply with the law. There are a number of reasons for doing that. Perhaps the business feels a moral obligation to do better on the environment, for example. Or perhaps there is a strong corporate culture around customer service that goes far beyond consumer protection laws.

But perhaps the business does not really understand the laws in the area and the actual obligations they impose.

No matter what the reason, the risk is that by creating a more onerous policy / procedure than necessary, the business can increase its legal obligations. Sort of like writing its own more onerous laws.

That increased obligation may become the standard or promise to which the business is judged by customers, by regulators, and by courts.

That’s fine if it is a conscious decision, but not if it is an unintended consequence of misunderstanding the laws they must comply with.

Cross-posted to Slaw

Apple fights court imposed FBI backdoor order

Apple CEO Tim Cook has taken a very public stand against an FBI request and court order to create a backdoor into the Apple operating system.  This arose from the investigation into the San Bernardino mass shooting last December.

See this article on ZDNet for more details.  And Read Tim Cook’s customer letter posted on the Apple website for a more complete explanation of Apple’s position.

Kudos to Tim Cook and Apple for this.

Security and privacy experts continue to point out that backdoors are a bad idea that cause far more harm than good.

See, for example, this ZDNet article from yesterday about a new report saying “European cybersecurity agency ENISA has come down firmly against backdoors and encryption restrictions, arguing they only help criminals and terrorists while harming industry and society.”

Cross-posted to Slaw

Update to Internet Explorer 11 now for security

Microsoft has just ended support for Internet Explorer versions 10 and earlier.  That means Microsoft will no longer provide security patches, which makes them risky to use from a security perspective.

Anyone still using those versions should update to IE 11 immediately.  Those using Windows 10 can use the Edge browser instead.  Edge works well, but unfortunately does not yet support add ons like password managers.  Another option is of course to use Chrome.

If there is a need to use an earlier version of IE because of legacy internet applications that are not up to current standards, IE 11 includes an “enterprise mode” that will run those.

And if you are still using Windows 8 or an earlier operating system, it’s time to upgrade to at least 8.1.  Security support is still available, but not full support. Windows 10 is the best option.  For most, that upgrade is free.  If you are still using Windows XP – yes, some still are – its way past the time to upgrade – its not even getting security support anymore, and is a potential security risk.

Cross posted to Slaw

CES 2016

The annual Consumer Electronics Show is now underway in Las Vegas – where tech companies show off their latest and greatest.  Popular themes this year include drones, internet of things, and cars.   And of course TVs.  LG is showing OLED 4K TVs that are impossibly thin – 2.57 mm, yes, mm thin.  While they are expensive, and there isn’t much 4K content yet, that is expected to change much faster than HD came to market.

It is easy to scoff at some of the individual items that show up at CES, and certainly some of them will never gain any traction, but the better focus is on trends and where we are headed.  ZDNet, for example, sees IOT and wearable becoming useful, and AR and VR getting a purpose beyond gaming.

If you are interested in following CES, there is lots of coverage in the tech press – such as CNET  and The Verge.

oled-tv-inline-807x1024Exterior_3_0

 

 

 

 

 

Cross posted to Slaw

A supercomputer on your wrist

smartwatchcray-2-computer-system

 

Sometimes we get so wrapped up in the specs and quirks of our current technology that we forget how far we have come.

To put it in perspective, consider a smartwatch.  There are many ways to measure computer performance – CPU speed, amount of ram, amount of storage memory, network speed, etc.  A common way to compare basic performance, though, is by FLOPS, or floating operations per second.

A smartwatch can do somewhere in the range of 3 to 9 gigaflops.  To put that in perspective, the Cray-2 supercomputer in 1985 could do about 1.9 gigaflops.  You could buy one then for about $17,000,000.  It used 200 kilowatts of power (that’s several times the power a typical home electrical system provides), occupied 16 square feet of floor space (if you ignore its separate cooling system) and weighed 5500 pounds.  (A pdf brochure with the details is here.) I’m sure no one then thought we would ever strap something like that on our wrists, let alone order one online and have it arrive a couple days later.

Makes one wonder what the next few decades will bring.

Cross-posted to Slaw

Encryption = good : Backdoor = bad

Every time there is a tragic attack on people or property, there is a cry from various authorities or politicians for law enforcement to get unfettered access to all kinds of communication tools.

But that would cause far more harm than good, and is a really bad idea.

The argument goes something like this:

These bad actors hide behind encrypted communications to plan their evil deeds.  Therefore to stop them law enforcement needs to have access to all this.  Therefore we need to have backdoors built into all encryption that law enforcement can use.

This is flawed in many ways.

There is no evidence that unfettered access to communications helps.  Sometimes the information was actually available, but no one managed to put it together ahead of time to stop the evil deed.

There is no way that backdoors can be limited to use by law enforcement.  They will inevitably be discovered by others and used for evil, thus rendering encryption and all the protection it provides useless.

Bad actors will stay a step ahead.  If mainstream communications and encryption tools have backdoors, they will just create their own secure communications channels.

But don’t just take my word for this.  Read, for example, this article by security expert Bruce Schneier entitled Why we Encrypt.

And this article by Cory Doctorow on how ridiculous British Prime Minister David Cameron’s comments on the need to backdoor encryption are entitled What David Cameron just proposed would endanger every Briton and destroy the IT industry.

And this article by Mike Masnick of Techdirt entitled The Paris Attacks Were An Intelligence Community Failure, Not An ‘Encryption’ Problem.

Cross posted to Slaw

Cyber Security Report Card

Cyber security

Cybersecurity was a major topic at the recent Canadian IT Law Association conference.  It can be a daunting subject to ponder when dealing with various types of services, cloud providers, and the methods, standards and assurances available to lower the risk of a security breach.  Cyber insurance to cover some of these risks is a growing field.

This Cyber Security Report Card (pdf) is a good high level summary of the things that businesses should think about when considering security issues for their organization.  It was provided by one of the luncheon speakers, John Millar of Digital Boundary Group, which is an IT security testing firm.

(For transparency, Digital Boundary Group is a client of mine.)

Cross posted to Slaw

James Bond, Spectre, and the Surveillance Society

SPECTRE-Film-Stills-08234I don’t normally do movie reviews, but Spectre, the latest James Bond Movie, has a cautionary tale about the surveillance society that is worth commenting on. It deals with the undemocratic / totalitarian / dystopian aspects of ubiquitous surveillance.

Some reviewers have been critical about the movie, but my view of Bond movies is that they are more about entertainment than plot and character development.

Some elements of the movie are uncomfortably real – like its spin on the five eyes network .  After I saw it I wondered what Ed Snowden would think. This is what Wikipedia has to say about Snowden’s thoughts about five eyes.

The former NSA contractor Edward Snowden described the Five Eyes as a “supra-national intelligence organisation that doesn’t answer to the known laws of its own countries”] Documents leaked by Snowden in 2013 revealed that the FVEY have been spying on one another’s citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens.

The Intercept has a good article about the movie entitled Only Edward Snowden Can Save James Bond

From The Intercept article:

Knowing everything about everyone is actually of limited use to the good guys. But it’s hugely useful to the bad guys — be they extortionists, terrorists, or power-mad bureaucrats. And if it’s collected, somewhere, be assured the bad guys can get their hands on it.

While Bond is pursuing his super-villain, his boss M wages a losing bureaucratic war with C, who’s more of an NSA/GCHQ type. M inevitably describes the massive surveillance network that C is building as “George Orwell’s worst nightmare.” In response, C literally laughs at M’s devotion to the quaint notion of “democracy.” Subtle it ain’t, but the central point — that ubiquitous surveillance is an inevitably totalitarian tool, not just inappropriate for democratic society, but actively inimical to it — is often underappreciated in the current debate.

The movie also shows us what kind of hero we need to prevent such a dystopian future — and it isn’t Bond. It’s Q, who bears a striking resemblance to Edward Snowden.

When it comes to surveillance data, it’s hard to know who the bad guys really are. Depending on what it is used for, it can be those who should be protecting us.  And if you think this information can’t get into the wrong hands, take a look at this article about the lack of security in an FBI database.

Cross posted to Slaw

Cutting edge is great – but sometimes not easy

I got a Microsoft Surface Pro 4 last week – the plan being to replace my main computer and my tablet.  It’s a great machine – essentially a tablet that works like a laptop.  Its noticeably faster than the desktop it replaces.  Using it as a tablet takes some getting used to – because it seems weird to have a tablet that is a full featured computer.  For example, I have apps on my Android tablet that my first inclination is to get for the Surface – but then I realize that the app isn’t needed when you are using a computer.

The high resolution display makes things like Flipboard content, magazines and video look better than I’ve ever seen on a tablet or laptop.

The biggest headache has been getting the document management software we use at HP to work.  It just isn’t designed to scale properly on a high resolution display, and took a lot of work by our IT department to make it useable.  Unfortunately specialty software like that often lags behind current tech and operating systems.

Cross-posted to Slaw 

Happy Back to the Future Day

In the 1989 movie, Back to the Future Part II they time traveled to October 21, 2015.  (The move was produced by Neil Canton – no relation as far as I know.)

Articles abound today comparing the 2015 depicted in the movie to today’s world.  While we don’t have flying cars, and hoverboards have not proceeded beyond some proof of concept demos, drones and flatscreens and a few other things are here.

Another prediction that didn’t come true is the quip that the justice system works swiftly in the future now that they’ve abolished all lawyers.

Wearable tech was envisioned, though, which Gartner currently places at just past the “peak of inflated expectations” on its hype cycle.  If you believe wearables are just a passing fad or toys, take a look at this article entitled I’m a cyborg now and so are you.  And consider that one of the panels at next weeks Canadian IT Law Association Conference is entitled “Key IT Law Issues for Wearable & Mobile Devices.”  (I’m moderating that panel.)

Cross-posted to Slaw