Michael Geist’s recent …
Toronto Star Law Bytes column focuses on a recent Canadian privacy finding involving an inadvertent email disclosure. The column contrasts the finding with a similar incident in the United States and argues that for Canadian privacy law to garner the respect it needs to achieve widespread compliance, the Privacy Commissioner’s office should consider several changes to its reporting approach including releasing full reports and exercising its power by identifying the targets of well-founded privacy complaints. At the present time, those that violate Canada’s privacy law are invariably protected under a veil of anonymity.
The are all fine suggestions, but will they make a difference?
The fundamental problem is that Canadian regulators remain unable and unwilling to impose serious penalties for privacy infringements. So, what does a rational CEO choose to do? Spend as little as humanly possible on privacy issues until they mess up. Then the regulator shows up, and gently slaps them on the wrist. Today, it would quite possibly be a breach of fiduciary duty to spend a lot of money on security in Canada. Sure, there’s a need to comply with the law, but there’s also a need to do so economically.
Geist goes on to say:
Adopting a naming names approach to the well-founded subset of those findings could be manifestly justified on public interest grounds, providing the public with valuable information in assessing the privacy practices of Canadian organizations as well as sending a much-needed message that failure to comply with the law will result in serious consequences.
He’s absolutely correct here, but a little bit of a black eye isn’t a serious consequence. The commissioner needs to take cases to court, and see to it that substantial fines are imposed. Anything less will leave Canada’s law toothless.
(From “Interesting People,” [IP] Canadian privacy law protects those who break it)
[Update: To be fair, Geist does conclude by discussing the need for effective enforcement, I just think that needs to be visible in the bottom line.]
[Update, 10/31: See my new post on this subject, Geist is more insightful on this than me.]
There’s a critique of Google’s new Desktop Search that it…wait for it…searches your computer! No, really, it does. And so it finds things that are … on your computer! Some of these things, like your email, your spouse’s email, your IM logs, are things that Microsoft hides intra-user are exposed. This is probably a bad thing, but they were exposed before, but not placed on your desktop for easy access.
There’s a related complaint, which is that Google picks up confidential documents that webmasters expose to the internet, and lets you search for them.
There are other concerns that are more legitimate. Google should segment Gmail and Orkut from the main searches. Google could sell you an ad-free Gmail account. That would be cool. But I can’t see why anyone would be upset that their email is being indexed, unless data from that index is sent to the mothership.
Ed Hasbrouck, who in a more perfect world would be paid to be the TSA’s chief privacy officer, writes RFID passport data won’t be encrypted:
So an identity thief, using only the data secretly and remotely obtainable from your passport, will be able — without ever having actually seen you or your passport — to create a perfectly valid-seeming passport, with a valid encrypted and properly signed digital hash, with your photograph but a signature in their handwriting.
I haven’t read all his source documents, but what he writes, and what Schneier wrote show that the revision of passports is to make them dramatically more effective as mass-surveillance devices.
In my crotchety old man mode, I’ll mention that Hugh Daniels made buttons for CFP ’96 asking “Is Your Jew Bit Set?” showing how to encode information secretly in such schemes, and governments are just catching up.
(Via The Practical Nomad.)
Ryan Singel has a couple of good posts up: Why Privacy Laws and Advocates Matter and Trusty Logo Not Worth The Pixels It Is Printed On. The later explains in detail what economics predicts: Trusty won’t shaft its paying customers to make them actually enforce privacy policies, when people who rely on the trusty seal complain. This makes the Trusty seal worthless, which will eventually come back to bite them, but they get to ride the gravy train for a while.
Jean Camp and Stephen Lewis have done a great job of bringing together papers on Economics of Information Security in a new volume from Kluwer Academic press.
(It’s even better because it has my first book chapter, which is What Price Privacy, joint work with Paul Syverson. We’ll put it online as soon as the publisher allows.)
So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which Verisign has been trying, and failing, to flog to consumers for years. (It may be this.)
What’s unclear is the privacy implications. If this is a X.509 cert on a USB token, then what this means is that children will not have privacy in these “kid only” spaces. They’ll be subject to monitoring under their real name. This damages one of the best features of the internet, which is the ability of kids to go online and explore different identities fearlessly. Read their chatroom rules of use: Cyberdating is dangerous!
At least they’re up front in their terms of service: You are being watched. Your name will follow you. Yeah, I wanna go play there.
Ian Grigg has some very interesting comments on Verisign’s certificate business and what it means for privacy, over at Financial Cryptography
So it seems that two members of Congress have now been added to “watch lists.”
“[Representative John] Lewis contacted the Department of Transportation, the Department of Homeland Security and executives at various airlines in a so-far fruitless effort to get his name off the list, said spokeswoman Brenda Jones.”
It seems that this sort of thing is exactly what the Privacy Act of 1974 was intended to prohibit–secret databases that control your life that you can’t get out of. Except, section j.2 exempts “police efforts to prevent, control, or reduce crime.”
If Congresspeople can’t get themselves off the list, what hope does David Nelson or Johnnie Thomas have?
Criteria for being put on the list are secret. Criteria for being removed from the list are non-existant. This only makes sense if you’re a career government employee who never wants to have to explain their actions to Congress. A few complaints, sure, but those aren’t career limiting.
John Gilmore is suing for the right to travel without ID, and not subject to secret laws “communicated orally, from week to week.” If he wins, airport security will have to stop wasting time and energy harrassing Congresspeople, and focus on searching people for weapons. In addition, airlines will no longer be able to collect extra data about each and every passenger for marketing purposes, with it being a crime to lie or try to stay out of their databases. A win for security, a win for privacy, a win for liberty.