Category Archives: Security & Privacy

Various security and privacy related issues and mumblings

Grumbles, New Paradigms, Security & Privacy

Facebook breaches Canadian privacy law

Ok, so you didn’t need the Portable Consultant to tell you that Facebook has privacy issues, but this CBC news story covers the particulars of how the site breaches PIPEDA, the Canadian privacy legislation.

My own use of the online games is minimal because I was always concerned about the permission statements that you get when you sign up for them.

That’s not how I personally use Facebook anyway, but the recent ‘conversion’ of a cute aquarium game (send pretty fishes to your friends’ aquariums) to a dating service with constant emails (“Honestly, Dear… all those speed date emails are spam. All I ever did was send her a fish!”)… well, that was downright naughty. Bad Facebook, bad, bad!

I was struck by one item in the news report that would be funny if it weren’t true:

“- Facebook keeps the profiles of deceased users for “memorial purposes” but does not make this clear. Recommendation: Information about use for memorial purposes should be in Facebook’s privacy policy.”

…Thank you, Facebook, but when the time comes The Portable Consultant would rather have family and friends handle any and all memorials. All social networking sites should delete accounts after an agreed period without any logins, at the very least. (This is a much larger issue, of course.)

Facebook needs to get its act together, but users/consumers also need to understand how important personal info is …and take care not to sign it away without due diligence.

Cheers,
-pmh

New Paradigms, Ramblings, Security & Privacy

Who’s still got your content?

A while back, your Portable Consultant was intrigued to read a BBC story about “Websites ‘keeping deleted photos'” for a couple of reasons. Firstly, it showed a surprising degree of technical knowledge that used to be absent from Internet stories. The method that the researchers used to retrieve photos from social network sites after they had supposedly been deleted is trivial, but used to be beyond the abilities of news organizations to understand. There’s obviously a new generation of reporters and researchers who understand this beat.

Secondly, the heart of the issue as clearly stated by Joseph Bonneau “It’s imperative to view privacy as a design constraint, not a legal add-on”, should be framed and hung on the walls of web designers and managers, not only at social networking sites but also those in the public service, in the private sector, and even corporate intranets.

Cheers,
-pmh

Security & Privacy

Newfoundland data take out

It never rains, but it pours. Another data loss story has broken closer to home… well, Newfoundland is not that close but too close for comfort:

It seems that a “private sector consultant” on a provincial government contract (not unlike The Portable Consultant, in fact) took a government PC home and may have exposed personal data to the public Internet.

The initial reports are technically vague, but the reports of the incident seem to point to a situation that is wrong on so many levels that it’s enough to make me want to tear my hair out… umm… so to speak.

Government PC’s should never be taken home… or even invited to drinks and a dinner! What may be a properly behaved PC in a government cubicle becomes a rogue “unmanaged system” when it is removed from the safety of its usual firewalls.

Production data covered by privacy restrictions probably has no reason being on a PC in the first place. Such data should probably be locked up in encrypted databases on secure servers and only access via secure methods.

The consultant should probably have been working with dummy data. In any case, they should be reading Privacy for Dummies and writing a short quiz before they are allowed near restricted data.
The story has a bizarre twist with a so-called “representative of a security company” contacting the consultant to tell them that they were “in possession” of some of the patient records. Since when would anyone in security actually download such data if they came across it? Sounds a bit wierd.

Unfortunately, the news media often don’t have enough resources with the expertise to ask the right questions when a story like this breaks.

Perhaps it’s enough to know that it appears to have been the result of not one, but many lapses of security policies.

Cheers,
-pmh