Wednesday, June 22, 2011

The Current on facial recognition technology to identify Vancouver rioters

I was invited to participate in a discussion on CBC's The Current about the proposed use of ICBC's facial recognition software to identify people who participated in the Vancouver riots following the loss of the Stanley Cup playoffs. The segment is here as an MP3 file for your listening pleasure: http://podcast.cbc.ca/mp3/podcasts/current_20110622_72805.mp3 or embedded on their site.

First up was Adam Grossman of ICBC, followed by me, then Marc Rotenberg of EPIC, then Gil Hirsch of Face.com.

The CBC's summary of the segment is here.

Tuesday, June 21, 2011

Privacy Commissioner's annual report suggests a more active and hands-on role

The Privacy Commissioner of Canada today has tabled her annual report to Parliament on the Personal Information Protection and Electronic Documents Act ("PIPEDA"), Canada'a private sector privacy law.

A large portion of the report is a description of an audit her office carried out of Staples following two complaints that the company had resold electronics without ensuring that personal data from the previous owner had been securely removed. Generally, she found they followed her guidance but she identified some remaining shortcomings.

The main lesson is that the Commissioner is getting more proactive and businesses need to be more vigilant. This is, to my recollection, the first time that her office has audited a business and it sounds like it was an extensive investigation. This, coupled with her request from Google that an independent, third party audit be undertaken suggests a stronger position than she has taken before. To top this off, she continues the discussion about whether she should be given order-making powers and the power to levy penalties. I think we're seeing a significant change from the Office of the Privacy Commissioner. The full report is here: Annual Report to Parliament 2010 - Report on the Personal Information Protection and Electronic Documents Act.

Monday, June 20, 2011

A suggestion to thwart (some) phishing attacks?

Like just about everyone, I receive loads of predictable phishing e-mails that (hopefully) make it into my spam bucket. But I was intrigued by the following message that I happened upon when perusing my spam messages:

From: "Linda Evans"
To: david.fraser@XXXXXX.com
Date: Monday, June 20, 2011 2:10 PM
Subject: David f*** [redacted] you!!

Remove your f****** [redacted] comment from my profile , I AM NOT YOUR BITCH!
Do I even know you?
Remove it : http://www.facebook.com/profile.php?id=100000456101822
If you dont , I will report you to Facebook and get your account suspended!!!

The link went to a page that appeared to be the Facebook login page but was hosted on some other website, which would capture your password.

I am sure that this will become a routine phishing method, but will probably catch a few folks who haven't seen it before.

I would like to suggest something that should be implemented in all e-mail programs and all browsers: If there is some text that looks like a link between the <a> and </a> HTML tags that doesn't correspond to the actual URL that the link leads to, a warning should appear saying

"It looks like you're clicking on a link that goes to YYY but you're actually going to ZZZ. That doesn't sound good. Are you sure you want do do this?"

I wonder how many phishing attacks could be prevented with this simple change?

Sunday, June 19, 2011

Some thoughts on online targeted advertising

Michael Rosenwald at the Washington Post recently did an interesting thing; something that people should think about doing if only to consider how the web works and what their options are to control their personal information and to control their experience on the internet. He set his advertising preferences among the various online advertising companies so that irrelevant advertising was replaced by much more relevant ads.

The reality is that most advertising is supposed to be relevant to the viewers (compare the ads you'd see in Golf Today versus those in Cosmo), but much of the targeting is so coarse that too many viewers are outliers. While it may be ideal to live in a world free of anything we consider visual noise and clutter, the reality is that much of our experience online as users is supported by advertisers. Targeted aims to tailor the ads to the perceived value to the viewer, which is much more possible with online advertisers. An ad provider may know that most of the ads served to you are on golf-related sites and automotive sites, so will serve ads focused to those interests even when you're on a "general interest" website.

In my experience, people get very creeped out when they think what they're doing (online or offline) is being tracked or observed. The creep-out factor is somewhat dissipated if the user understands what's really going on under the hood. The information is out there, but most users don't take the time to do a quick search. Just Google "how facebook advertising works" and you'll learn how their system works.

Frankly, I'd rather that advertising were better so that we'd no longer have to deal with horrible pop-ups and interstitial ads. I'd rather not see any more ads for services that I've already signed up for or group buying outfits that I don't care for.

I have let a number of web services know about my preferences so that their services are more relevant to me. The same can be said for online advertisers. The ads will be there whether I like it or not, so they might as well provide some small value.

Here's the WaPo article:

Operation Track Me More: A writer invites the Web to offer more relevant ads - The Washington Post

By Michael S. Rosenwald, Published: June 17

The other night, after putting the kids to bed and polishing off some cookie-dough ice cream, I went down to the basement and offered the Internet advice on how it could better track me.

I can’t report that I did this with trepidation, that I trembled as my browser opened, that the lights flickered, that privacy advocates dispatched National Security Agency operatives to pry my cold fingers from the mouse. There was none of that. It was easy. I did it with zeal.

My goal: Stop the Internet from frequently showing me ads for products I don’t care about or need, such as Preparation H or Gillette’s new Venus Bikini Trimmer, which sounds positively terrifying and totally useless to me because, among other reasons better left unsaid, I only buy swimsuits that reach my knees.

And so, using new tools designed by advertisers already tracking our every digital move, I told the Internet the following things: I am not over 65, as it had thought. I don’t want travel ads unless they are for Europe. I really like fast food. I like gadgets. I am not an executive. (Ha!) Please, please, please stop showing me ads for new cars. And I would like more deals for flowers, since I often find myself seeking absolution from Mrs. Rosenwald.

My experiment, which I code-named “Operation Track Me More,” comes as Google, Yahoo and other digital advertising platforms and networks face increasing pressure from lawmakers and government agencies, which are examining a slew of proposals for “Do Not Track” laws and other regulations that threaten the ad industry’s Holy Grail: getting the right ad to the right person at the right time.

Privacy advocates say the little cookies that advertisers slip onto our computers to analyze our browsing habits are creepy, invasive and potential ammunition for insurers or employers. Advertisers say that those claims are unfounded and that ad networks are anonymously tracking our behavior so they can improve our lives by offering products we need or want, rather than, say, bikini trimmers dangled at men.

Although it is unclear exactly how much online advertising is behaviorally targeted, Google has gone so far as to create this tag line for its ad focus of late: “There’s a perfect ad for everyone.” The company is increasingly hyping a world where advertisers bid against one another — in the milliseconds it takes to load a Web page — to show us relevant ads based on who we are and what we like. The alternative, advertisers say, is akin to spam.

“If you go back to one of the earlier phases of Internet marketing, the big complaint was about spam,” said Randall Rothenberg, president of the Interactive Advertising Bureau, a trade group for advertisers. “There’s a continuum here. On one end is spam, and on the other is relevant ads. If you want to shut down the relevance technologies, the end result is undeniably and indisputably an increase in spam.”

Critics think that there is much more at stake and that the future is scary, not exciting.

“This is not about your privacy in buying a pair of pants or a shirt or even a book,” said Jeff Chester, the executive director of the Center for Digital Democracy, a fierce critic of ad targeting. “This is about a very powerful system that consumers are incapable of understanding and maneuvering around.”

Tools of the trade

Advertisers have reacted to regulators’ concerns by offering tools, which I used during Operation Track Me More, that help people adjust ad settings or opt out from tracking. This can be done in several ways: by going to platforms such as Yahoo or Google and searching for the ad preference page, by mousing over to individual sites hosted by advertising industry groups or by clicking on tiny new icons advertisers are placing in ads, labeled “Ad Choices.” Critics say the various options are too cumbersome and don’t protect sensitive data, such as health interests.

The new tools also offer ways to increase tracking — to essentially edit the vast dossiers that advertisers already have on us. On one ad network, I specifically disliked ad categories such as autos, financial services and real estate, instead replacing them with HD televisions, flowers and toys. Also allergies, which are basically my only concern every spring. The ad industry says adding and subtracting interest categories provides more control and transparency. Popping into my head: an image of a fox guarding a henhouse.

Let’s be certain about one thing: My tracking efforts placed me squarely in the majority and minority of Internet users. Most online consumers, according to studies, indicate that too many of the ads they see online are not relevant to them. I am happy this group has welcomed me with open arms, and I look forward to get-togethers. However, few of us don’t mind being tracked. Studies have shown that up to 80 percent of consumers aren’t comfortable with tracking technology or being tracked, even if it leads to better ads.

One reason: It’s disturbing. Another reason: Many people think ads are useless no matter what.

“Why would they trade data for ads when they don’t see ads as beneficial one way or the other? They are just getting in the way,” said Aleecia M. McDonald, a researcher who studies ad tracking. “One woman in a study put it nicely: ‘Ads are like slow people on the sidewalk in front of you. There’s nothing you can do. You just have to wait.’ ”

But as I found out, relevant ads can grab attention. I played a little turn-it-on/turn-it-off game with AOL. I clicked over to its ad preference settings and saw what it already discerned about me: that I liked gadgets, news and other consumer products. So they had me somewhat figured out already. Then I spent a lot of time on AOL’s various Web sites studying the ads. I kept noticing one particular ad for a wireless charging gadget for cellphones. The ad followed me around AOL’s sites. I eventually I clicked on it to see more.

A study performed by Yahoo explains what was happening: Consumers spend 25 percent more time fixating on relevant ads than those that aren’t relevant. How’s this for spooky: Their pupil dilation actually increases 27 percent. I can’t see my own pupils, though I bet they dilated while I was following this ad around.

When I went into AOL’s settings and opted out of ad targeting, the new ads that turned up were useless for me. Car insurance. Banking. LivingSocial deals I didn’t want. Leave me alone! Please show me something that will cure my volatile sneezing spasms every spring.

A relevant question

There are dozens, and perhaps hundreds, of so-called ad networks that place cookies on our computers so that advertisers will learn more about us, and not all of them can be tweaked. It’s also not entirely clear which ad network works for which advertiser placing ads on which Web site. That all probably explains why my overall ad-browsing experience didn’t totally change with my efforts.

There were, however, signs of relevancy. In my day-to-day surfing, I noticed a striking increase in the number of gadget and computer ads. I noticed flower ads. I noticed about a 20 percent decline in car ads. Did I also still see ads for beauty products? Yes. Did I also see ads for Goldman Sachs? Yes. Did those ads annoy me? Yes.

But there was an opportunity for existential transformation, too. Once one sees the true power of tracking, the idea of relevancy morphs into a difficult question: Do I want to keep turning over ever more of my life to faceless algorithms and corporate behemoths? It is, in fact, creepy. Seeing ads so perfectly tailored gave me the urge to look over my shoulder, but where?

And then there is this question: Are we naive to think advertising can be like the olden days, when we jammed quarters into big metal boxes to retrieve newspapers that contained the same ads that thousands and thousands of other people saw, too? Or is that world really gone for good, replaced by a World Wide Web that is constantly evolving and getting ever more personal, to the point of being a mirror of us?

I pondered those questions for a while without quite coming up with an answer. Then I went back to my browser to catch up on sports news, which I no longer get from that printed newspaper in a box. I get my sports news online. And there, next to some hockey news, was an ad for digital cameras at Best Buy. I thought about it for a second. Then I clicked on it.

ICBC offers up its drivers' license database (with facial recognition) to ID Vancouver rioters

The Insurance Corporation of British Columbia is offering up its massive database of drivers' license photos, accompanied by the biometric measurements of those photos, to the police to help identify those involved in the recent Stanley Cup riot. (See: Insurance corporation offers to help ID rioters - British Columbia - CBC News.)

They are saying they'd need a court order to do so, but nevertheless I think this is a serious issue that hopefully any judge considering such an application will think long and hard about. Yes the riot was appalling and yes there are many, many photos available of people who were involved. I am greatly concerned that information collected for one purpose, namely identifying licensed drivers, will be reused for a completely unrelated purpose without adequate debate about what this means in the big picture.

This would set a precedent in Canada that might permit the use of Foreign Affairs' massive passport photo database and each provincial drivers' license database to (supposedly) finger people in what is essentially a property crime investigation. If police are allowed access in this case, they'll be looking for access in many, many more. The "slippery slope" argument is a pretty compelling one, since once the pandora's box is opened it's very hard to put the lid on it.

Friday, June 10, 2011

Canadian Cloud Law Blog: Legal issues in cloud computing contracts

Just posted on my Canadian Cloud Law Blog:

Canadian Cloud Law Blog: Legal issues in cloud computing contracts

Yesterday, IT World Canada published a very lengthy article on the manifold legal issues that need to be considered when a company moves its data to the cloud, including a lengthy interview with me given a little while ago.

Here's the first part ...

Canadian cloud contracts: Liabilities and limitations - Page 1 - Leadership

More companies in Canada are turning to the cloud — or, at least, thinking about it — for flexibility, agility and cost savings. But there is often the perception that using cloud-computing services could compromise corporate and customer data, or may even be against the law.

But there’s no law that prevents most Canadian businesses from exporting personal information, said David Fraser, partner with McInnis Cooper, president of the Canadian IT Law Association and chair of the National Privacy and Access Law Section of the Canadian Bar Association.

“Once you move into a real cloud computing model, all of a sudden you don’t know where your data is — where in Canada or where in the world — and we’ve seen a big privacy-related backlash against cloud computing,” he said. So a large part of his job is telling people they’re wrong, since there’s a huge amount of misinformation out there.

Private-sector privacy laws require that you ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company. And some highly regulated industries, such as banking, have special rules that may include additional regulation for outsourced services.

“The Patriot Act is the big thing that people freak out about,” he said, “but we have a Canadian version of the Patriot Act, which is just as offensive.”

Here’s the deal: In 2001, the U.S. Congress passed the USA Patriot Act, which expanded the powers of law enforcement and national security agencies to carry out investigations and obtain intelligence in connection with anti-terrorism investigations.

But the provisions that have attracted the most criticism, said Fraser, have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, he said, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act. Many European countries also permit broader law enforcement and national security access to information than in both the U.S. and Canada.

Of course, where the data sits can have an impact on that data. If it’s in North Korea or China, it’s at high risk, said Fraser. In the U.S., it may in some cases be significant, but in most cases it won’t be. “How interested would the FBI be in getting their hands on that data and would they be able to justify getting a subpoena? In most cases no,” he said. “And if it’s a person of interest they can get it in Canada.”

Many people are surprised to learn there’s a secret court in the U.S. where judges hear applications made by Department of Justice lawyers for search warrants (and other such things) and there’s nobody on the other side to oppose those applications.

“We have a secret court in Canada,” said Fraser. “We have a bunker in Ottawa where judges hear lawyers from the Department of Justice and CSIS for warrants to do things as potentially offensive as break into your house and install wiretapping equipment. These orders can specifically provide for authorities to go back in and change the batteries. So people don’t often think that Canada is engaged in these types of cloak and dagger things, and we are. Our definition of anti-terrorism is as broad and offensive as the U.S.”

Canadian authorities have virtually identical powers under the Canadian Security Intelligence Service Act, he said, which permits secret court orders that authorize CSIS to intercept communications or to obtain anything named in the warrant.

On top of that, Canada has a mutual legal assistance treaty with the U.S. (as well as informal agreements), so if the FBI wants data and it’s in the hands of a Canadian company, the FBI calls the RCMP or CSIS. “So when you dig into it, that cross-border issue, at least in most cases, really is not the large issue that many people are led to believe it is,” he said, adding that the Patriot Act has become shorthand for just saying no.

Only British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies, said Fraser. For all other jurisdictions, including the federal jurisdiction, export is permitted, but the public body must ensure a comparable level of security for personal information, regardless of whether it’s managed by a Canadian or non-Canadian company.

What businesses need to do is benchmark their existing privacy infrastructure and compare it to the privacy infrastructure of the proposed cloud provider. What are the real risks to the data, and to privacy and security? A lot of businesses have significant existing vulnerabilities — from insecure desktops, to playing catch-up with security patches, to mobile employees running around with laptops. Or thumb drives. “Nothing is more stupid or dangerous,” said Fraser. “In a cloud model if the computer is lost you lose nothing.”

Very often, this benchmark leans heavily in favour of the cloud provider that has squadrons of security people. Small businesses, in particular, are vulnerable to power outages and basic continuity issues. A reputable large-scale cloud provider will have multiple data centres, so things will stay up and running.

Read more ...

Wednesday, June 08, 2011

Facebook's facial recognition system should help users control their privacy (but doesn't)

Facebook is edging back into the privacy spotlight with the expected global roll-out of assisted tagging of photos using facial recognition. The service scans uploaded photos for faces and suggests tags for the people in them. (See: Facebook's Latest Privacy Settings Shadiness Invades Your Drunk Pics - Gizmodo.)

What I'd like to see is the service being used in reverse: alert me if someone posts a photo of me on Facebook. If it can help someone tag me, it can surely recognize me in untagged photos and give me a heads' up. Just a thought of using the technology to let users control (or at least know about) others posting photos of them.

Don't be the weak link in the chain protecting your own online privacy

You may recall the old slogan: "Only you can prevent forest fires."

In the online age, one can't quite say "only you can prevent privacy and security breaches." We rely on so many people and organizations to take care of our data and often they let us down (see Sony, Epsilon and RSA, for example). But the one thing each user can control is whether they are a weak link in the chain protecting their own privacy.

Most recently, Google announced that it had become aware of attempts being made to get into certain users' GMail accounts. What's most interesting is that this was not an attempt to hack into Google, but a relatively sophisticated spear phishing attack focused at the users.

Canadians have also heard about attempts to get access to Canadian government computer systems, again through the users and not directly against the systems.

Users need to be constantly vigilant against these sorts of threats. Where possible, use services that take advantage of SSL encryption and authentication. Be very wary of anything that doesn't seem right and trust your instincts. If you are a GMail user, sign up for the two-factor authentication, which uses your cell phone or other mobile device as an access token that should prevent someone from getting into your account even if they manage to trick you into handing over your password.

For more steps you can take to protect your own privacy, check out http://www.staysafeonline.org/.

IPv6 and privacy

Given that today is world IPv6 day, I thought I'd mention that assigning unique identifiers to all the devices on the internet has some privacy issues that need to be thought through. Check out Christopher Parson's IPv6 and the Future of Privacy.

Tuesday, June 07, 2011

On the security vs. privacy debate

Well known privacy scholar Daniel J. Solove takes on the security vs. privacy debate in a recent article in Salon, which is a taste of his new book on the subject: Why "security" keeps winning out over privacy - War Room - Salon.com.

Monday, June 06, 2011

Privacy and location based services

Today, I was pleased to be among an esteemed faculty at the annual Law Society of Upper Canada and Canadian IT Law Association's spring professional development event focused on privacy and social/mobile services. My presentation focused on location based services.

In case it's of interest, here's my presentation:

The link to the presentation is here.

Time to check your permissions

Everyone should make it a habit to check your app permissions in any websites you use. I posted in March about it (Canadian Privacy Law Blog: Time to check your permissions) and now, three months later, time to do it again.

Here's where you should go to check your settings:

Take control over your accounts.

Sunday, June 05, 2011

Alberta Commissioner seeks leave to appeal Leon's case to the Supreme Court

In April, the Alberta Court of Appeal handed a significant defeat to the Information and Privacy Commissioner in Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94 (CanLII), a case about whether a retailer is justified in collecting drivers' license and license plate information from customers picking up furniture. (See: Canadian Privacy Law Blog: Alberta Court of Appeal overrules province's Commissioner on license info.) Now it appears the Commissioner is taking the case to the Supreme Court of Canada. The application for leave to appeal was filed on May 26. The Court has discretion to determine whether it will hear the appeal, so it will be interesting to see whether the Court determines this to be a matter of national importance.

See also, Alberta’s privacy commissioner wants top court to overturn decision involving Leon's.