Wednesday, March 30, 2011

Are there keyloggers on Samsung laptops?

As someone who owns a Samsung smartphone and bought a Samsung netbook around Christmas, I'd like to know the answer to this question: Why are there keyloggers on Samsung laptops? | InSecurity Complex - CNET News.

Update: It appears that it was a false alarm. Here's the latest from Network World:

UPDATE: Samsung keylogger could be false alarm

[UPDATE: Samsung has launched an investigation into the matter and is working with Mich Kabay and Mohamed Hassan in the investigation. Samsung engineers are collaborating with the computer security expert, Mohamed Hassan, MSIA, CISSP, CISA, with faculty at the Norwich University Center for Advanced Computing and Digital Forensics, and with the antivirus vendor whose product identified a possible keylogger (or which may have issued a false positive). The company and the University will post news as fast as possible on Network World. A Samsung executive is personally delivering a randomly selected laptop purchased at a retail store to the Norwich scientists. Prof. Kabay praises Samsung for its immediate, positive and collaborative response to this situation.]

[UPDATE 3/31/11: Samsung has issued a statement saying that the finding is false. The statement says the software used to detect the keylogger, VIPRE, can be fooled by Microsoft's Live Application multi-language support folder. This has been confirmed at F-Secure and two other publications, here and here.The headline on this article has been changed to reflect this new information.]

[UPDATE 3/31/11: GFI Labs, the maker of VIPRE, has issued an explanation and apology for generating the false positives that led to these articles: "We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive."]

Posted by privacylawyer at 3/30/2011 07:01:00 pm 0 comments
Links to this post
Labels:

Tuesday, March 29, 2011

The social network for lawyers

This week's Lawyer's Weekly has an article on blogging for lawyers. I couldn't agree more with its about being part of an online community and an interesting conversation.

Here's an excerpt:

The social network

...But attracting attention doesn’t mean posting an ad online. Some lawyers are gaining reputations and followings on the web by blogging or tweeting about different subjects or practice areas for which they have some expertise and familiarity, according to University of Ottawa technology law professor Michael Geist, whose website (MichaelGeist.ca), which attracts more than 10,000 daily hits, is a go-to online destination for the latest buzz on technology issues.

An avid blogger and keen Twitter user, Geist has spotted some rising stars in the digital universe.

One of them is Bram Abramson, an associate in the business law group at McCarthy Tétrault LLP in Toronto, who was only called to the Ontario Bar in 2008 and has already made a name for himself on the web.

“There are a number of people — myself included — who note his presence on Twitter,” says Geist, who holds the Canada Research Chair in Internet and E-commerce Law at the U of O.

“He’s very knowledgeable on things related to the CRTC and telecommunications.”

Abramson says that it’s important for him to connect with clients and colleagues, and social media tools, such as Twitter, are important methods of having a “conversation” with them.

“If you view social media as purely an avenue of self-marketing, it won’t work.

“However, people will appreciate honest participation and efforts online to provide useful information.”

Another lawyer whose Internet presence has earned him respect from his peers is David Fraser, a partner with Halifax-based law firm, McInnes Cooper, who has harnessed his expertise in privacy law into a wildly popular website and blog (PrivacyLawyer.ca).

“How does a privacy lawyer from Halifax become one of the best-known privacy lawyers in this country? He does it through his blog,” says Geist.

“I don’t think there’s any doubt his social media work has had a big impact on his reputation across the country.”

Fraser has set the “gold standard” for blogging, according to Jacob Glick, Canada policy counsel for Google Inc. in Ottawa.

“I created the blog on Jan. 1, 2004, when the federal Personal Information Protection and Electronic Documents Act [PIPEDA] came fully into effect, to join in the online conversation about technology and law,” explains Fraser, adding that he sees his blogging as an extension of the writing lawyers have always done since the beginnings of the profession.

“Blogging provided me, as a junior lawyer when I began, the opportunity to reach a global audience and eventually build an international practice from my office in Halifax.”

Glick says that lawyers are using electronic tools like Facebook, Twitter and Google AdWords “to promote themselves, to find people, and connect with colleagues and clients.”

He also believes that lawyers engaged in blogging and tweeting are the e-equivalent to writing a law journal article but reach “an audience of more than half a dozen.”

“Some lawyers who blog develop a strong brand associated with a particular point of view on an issue,” says Glick.

“That may scare away some clients, but may well endear them to other clients.”....

Posted by privacylawyer at 3/29/2011 07:32:00 am 0 comments
Links to this post
Labels:

Monday, March 28, 2011

Tracing users via IP addresses

PC Pro from the UK has an interesting article on the reality of tracing individual users using IP addresses. Check it out: Can you really be traced from your IP address? | Analysis | Features | PC Pro.

Posted by privacylawyer at 3/28/2011 10:17:00 pm 0 comments
Links to this post
Labels:

Wednesday, March 23, 2011

Court says there's no tort of invasion of privacy in Ontario

The Ontario Superior Court of Justice just released a decision today in Jones v. Tsige, 2011 ONSC 1475 (PDF), which states, clearly and without ambiguity that there is no free-standing tort of invasion of privacy in Ontario.

The facts involve a claim against an employee of a bank who reviewed the plaintiff's confidential banking records on at least 174 occasions. Whitaker J. canvassed a number of authorities, including the well-known case of Somwar v MacDonalds, but concluded that there is no such tort. The Court notes that the plaintiff had a remedy under PIPEDA:

In Ontario, it cannot be said that there is a legal vacuum that permits wrongs to go unrighted - requiring judicial intervention.

[54] More particularly here, there is no doubt that PIPEDA applies to the banking sector and Ms. Jones had the right to initiate a complaint to the Commissioner under that statute with eventual recourse to the Federal Court. For this reason I do not accept the suggestion that Ms. Jones would be without any remedy for a wrong, if I were to determine that there is no tort for the invasion of privacy.

[55] Notwithstanding the careful reasoning in Somwar and its adoption in Nitsopoulos, conclude that the decision of the Court of Appeal in Euteneier is binding and dispositivc of the question as to whether the tort of invasion of privacy exists at common law.

[56] I would also note that this is not an area of law that requires judge-made rights and obligations. Statutory schemes that govern privacy issues are, for the most part, carefully nuanced and designed to balance practical concerns and needs in an industry-specific fashion.

[57] I conclude that there is no tort of invasion of privacy in Ontario.

It will be interesting to see if this conclusion may be avoided if there is no remedy available under PIPEDA or any other statute. It'll also be interesting to see if it's appealed.

Major tip o' the hat to Dan Michaluk: No Invasion of Privacy Tort in Ontario « All About Information.

Posted by privacylawyer at 3/23/2011 09:24:00 pm 0 comments
Links to this post
Labels: , ,

Privacy-related bills to die on the order paper if Canadian election called

With talk of an election heating up in Canada, I thought I'd provide a list of the government bills that will likely die on the order paper if the government is brought down or if the PM wanders over to speak with the Governor General about dissolving parliament:


C-29An Act to amend the Personal Information Protection and Electronic Documents Act
(Safeguarding Canadians’ Personal Information Act)		First Reading in the House of Commons (May 25, 2010)XML


C-50An Act to amend the Criminal Code (interception of private communications and related warrants and orders)
(Improving Access to Investigative Tools for Serious Crimes Act)		First Reading in the House of Commons (October 29, 2010)XML
C-51An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act
(Investigative Powers for the 21st Century Act)		First Reading in the House of Commons (November 1st, 2010)XML
C-52An Act regulating telecommunications facilities to support investigations
(Investigating and Preventing Criminal Electronic Communications Act)		First Reading in the House of Commons (November 1st, 2010)XML




Bills C-50, C-51 and C-52 need some major work so I'm fine to see them go back into parliamentary purgatory, but the PIPEDA amendments (C-29) were pretty good and I'd hate to think we're back to the drawing board.
Posted by privacylawyer at 3/23/2011 02:18:00 pm 0 comments
Links to this post
Labels: , , , , , ,

Ontario Appeal court on employee expectation of privacy on a work-provided laptop

Dan Michaluk, over at slaw.ca, writes about an interesting case from the Ontario Court of Appeal that has an interesting (and now leading) case on an employee's expectation of privacy on a work-provided laptop computer. Here's a portion of the post, which can be found here: Ontario Work Computer Search Case – Privacy Concerns Real but Employers Still may Govern — Slaw.

Justice Karakatsanis wrote for the Court of Appeal. She assumed that the Charter applied to the board and found the teacher had a reasonable expectation of privacy in the contents of his laptop based on the following factors:
  • he had exclusive possession of the laptop;
  • he had permission to use it for personal use;
  • he had permission to take it home on evenings, weekends and summer vacation;
  • there was no evidence the board actively monitored teachers’ use of laptops;
  • the board had no clear and unambiguous policy to monitor, search or police the teacher’s use of his laptop.

The case is here: R. v. Cole, 2011 ONCA 218.

Posted by privacylawyer at 3/23/2011 07:27:00 am 0 comments
Links to this post
Labels: , ,

Wednesday, March 16, 2011

Is the US closer than ever to a general privacy law?

Just more than thirty years after the adoption of the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the United States seems closer than ever to adopting a general privacy law. Today, before the US Senate Committee on Commerce, Science, and Transportation, Lawrence E. Strickling (Assistant Secretary for Communications and Information National Telecommunications and Information Administration of the U.S. Department of Commerce) called on Congress to adopt a privacy law that amounts to a "Consumer Privacy Bill of Rights."

From Strickling's testimony:

National Telecommunications and Information Administration

A. Enacting a Consumer Privacy Bill of Rights.

The Administration urges Congress to enact a "consumer privacy bill of rights" to provide baseline consumer data privacy protections. Legislation should consider statutory baseline protections for consumer data privacy that are enforceable at law and are based on a comprehensive set of FIPPs. Comprehensive FIPPs, a collection of agreed-upon principles for the handling of consumer information, would provide clear privacy protections for personal data in commercial contexts that are not covered by existing Federal privacy laws or otherwise require additional protection. To borrow from one of the responses we received, baseline FIPPs are something that consumers want, companies need, and the economy will appreciate.

The Administration recommends that the baseline should be broad and flexible enough to allow consumer privacy protection and business practices to adapt as new technologies and services emerge. As noted by two privacy scholars, "[b]roadly worded legislation . . . motivates firms to produce an industry code of conduct as a way to construe and clarify the statutory scheme. Thus, baseline privacy legislation and incentives for industry to develop codes of conduct can go hand-in-hand."

Finally, a baseline law holds the promise of making our consumer data privacy framework more interoperable with international frameworks. Again, leading Internet innovators support baseline legislation as a means of achieving this objective. For example, a leading online company noted that "FIPPs is a common language used by many governments worldwide, so use of similar terminology will enhance opportunities for agreement and practical approaches to data policy." A Web standards organization stated that "[e]stablishing baseline commercial data privacy principles contribute[s] to the further harmonization of the global ecommerce market at least for the countries attached to the OECD, and improve[s] the transatlantic relations on online services of all sorts." Other comments, which represent a wide variety of American companies, consumer advocates, and academic scholars, also supported this position, often noting that improving global interoperability could benefit companies by reducing their compliance burdens overseas.

The Green Paper suggested that comprehensive FIPPs can serve as a basis for stronger consumer trust while also providing the flexibility necessary to define more detailed rules that are appropriate for the relationships and personal data exchanges that arise in a specific commercial context. The FIPPs that the Green Paper presented for discussion were transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing. We received many thoughtful comments on how each of these principles might apply to the commercial context, and we are continuing to assess whether these principles provide the right framework for online consumer data privacy. The Administration looks forward to working further with Congress and stakeholders to define these baseline protections.

Posted by privacylawyer at 3/16/2011 09:33:00 pm 0 comments
Links to this post
Labels:

Tuesday, March 15, 2011

Missing Alberta health care provider hard drive had thousands of patient images

An unencrypted hard-drive has gone missing at Covenant Health in Alberta, leading to an investigation by the province's Information and Privacy Commissioner. The drive, it appears, contained exclusively images, but many of them would be considered to be highly sensitive including video of surgeries. The names and hospital numbers of the 3,600 relevant patients are also apparent from the directory and file naming systems. The drive apparently went missing when an employee was moving offices. Because it was not a "portable" drive, the data was not encrypted.

See: Missing hard drive had thousands of patient images - Calgary - CBC News.

Posted by privacylawyer at 3/15/2011 07:25:00 am 0 comments
Links to this post
Labels: , , , ,

Monday, March 14, 2011

4Chan founder on privacy online

The founder of the (in)famous 4Chan website, Christopher Poole, has garnered a bit of press recently (including a profile in this month's Vanity Fair), but has also generated a bit of buzz due to his recent presentation given at South By Southwest Interactive about online privacy.

His views are often contrasted to those of Facebook's Mark Zuckerberg.

Hopefully this will prompt more discussion on this important topic.

4chan founder: Zuckerberg is “totally wrong” about online identity | VentureBeat

...Poole argued that anonymity allows users to reveal themselves in a “completely unvarnished, unfiltered, raw way.” One of the things that’s lost when you carry the same identity everywhere is “the innocence of youth.” (“Innocence” isn’t the first word that would come to mind when I think of 4chan, but okay, I’ll go with him here.) In other words, when everyone knows everything you’ve done online, you’re a lot more worried about screwing up, and you’re less willing to experiment. Poole compared this to being a kid, moving to a new neighborhood, and having the opportunity to start over. On the Internet, you don’t get that opportunity.

“The cost of failure is really high when you’re contributing as yourself,” Poole said.

In the case of 4chan, users feel a lot more comfortable trying to create funny images that can become memes, because content that doesn’t catch on disappears quickly, and they’re not weighed down by their failures. Poole said another benefit to 4chan’s anonymity is that content becomes more important than the creator, which is unlike virtually any other online community. Rather than prioritizing the most valued and experienced users, 4chan allows anyone to access the site and post something that might take off....

Posted by privacylawyer at 3/14/2011 07:28:00 pm 0 comments
Links to this post
Labels:

IP, privacy and defamation issues for magazine publishers

This afternoon, my partner Rob Cowan (@cowanlaw) and I jointly presented at Magazines East 2011 on legal issues of relevance to magazine publishers, writers, editors and freelancers. We focused on IP law, privacy and defamation.

Here's the presentation, in case it's of interest:

If the presentation isn't embedded above for you, you can find it here: https://docs.google.com/present/view?id=ddpx56cg_434ffcgtqcx&interval=30.

Posted by privacylawyer at 3/14/2011 07:16:00 pm 0 comments
Links to this post
Labels: , , ,
Subscribe to: Posts (Atom)