As most of you know by now, Ashley Madison (“Ashley Madison is the most famous name in infidelity and married dating.” quote from their site) was hacked last month and much of the data the hackers stole was released this week, on the dark web. Like many of you, I’ve been reading bits and pieces of the saga. Anyway, here’s five things that struck me about the whole affair:
- With a 6:1 ratio of men to women, a guy’s chance of “getting some” via AM are slightly less than they were in high school.
- Anyone (private sector, public sector, military, whatever) stupid enough to use a work email address and corporate assets (computer, network) to access AM ought to be dealt with according to corporate acceptable use policies and morals clauses in their employment contracts. It’s akin to using corporate assets to surf porn; just don’t. For what it’s worth, I don’t believe that morals clauses belong in employment contracts. We’re all adults and what I do on my own time is none of my employer’s (I don’t actually have one) business, provided it can’t be linked back to an employer and cover them in poop.
- There are a lot of morally superior and judgemental people on the planet. What they’re losing sight of is: 1 – Other people’s lives that don’t affect you are none of your ******* business; 2 – the hack was a criminal act. FULL. STOP.
- If what the hackers allege about AM’s security and not cleaning out data is true, the folks at AM are monumentally, irredeemably, irrefutably stupid and negligent.
- Lawyers and lawsuits – that didn’t take long. Tied with “Holy crap did we all of a sudden get a lot of downloads”, said the folks responsible for the TOR browser.
Apologies for jumping on the bandwagon and adding to the nonsense.
I read Use of File-Sharing Service Leads to $218,400 Fine for HIPAA Violation this morning (2015-07-17); it set me off.
I have no issue with the facts as reported in the article; what I do have issue with is the complete lack of balance. The article is written by Eric Packel of BakerHostetler (law firm in a buncha U.S. cities). As a lawyer, as someone who advises and counsels, he should know better than to leave things as they ended in the article. Yes, the company in question screwed up by stuffing a bunch of sensitive data in what I can only assume was a consumer-grade or mickey mouse type of cloud based file sharing system. They got what they deserved, hopefully learned a lesson, and hopefully not too many patients were compromised or inconvenienced.
No, what really, REALLY irks me about the article is that Eric did not conclude with concrete advice on how to prevent this type of situation. As a consultant, it’s my obligation to provide advice whether it’s directly on a client engagement or when I’m writing a post or article; and I hope I meet that obligation. The author of that article has the same obligation as I do, albeit at multiples of my billing rate.
It would have taken about three minutes to write a closing paragraph along the lines of …
“Hey! Don’t let this happen to you. There are many, many (130+ according to Alan Pelz-Sharpe until he stopped counting) cloud-based storage and sharing services out there. Pick one that’s certified for [whatever you need] and go. And don’t forget – you can outsource data but you can’t outsource accountability (paraphrasing Ann Cavoukian – former Info & Privacy Commish for Ontario).”
… how hard was that?
As it is, Eric feeds the FUD (fear – uncertainty – doubt). The cloud deniers have another “holy cow look what happens when you store stuff in the cloud!” incident to feed their paranoia.
Eric, buddy, you missed a glorious opportunity to make your point and educate the market a bit.
Last week I read this news story about vaginal rejuvenation surgery very closely (time wise) after seeing some Twitter items about the Internet of Things. I’m one of these people that draws mental connections between things, but I also tend to have a very juvenile sense of humour (there’s a horny adolescent lurking in here somewhere). Of course, I naturally thought “Hey! Marital aids should be connected to the internet.”
Now, I’m not 100% certain, but I’m pretty certain that there’s a few OBGYN’s out there who could team up with some sensor manufacturer and an adult toy manufacturer to build a marital aid that could measure what’s measurable and significant in helping to diagnose women’s health issues, then hook it to the web and send the stats (properly secured) to healthcare providers. Up the creep factor a bit and you’ve got some pretty intimate, 1-1 advertising opportunities there, too. I’m not certain that’s a good idea, though. Remember the retailer that told some teenager’s dad that she was pregnant? That didn’t go so well.
Scales, electric toothbrushes, thermometers, ear wax vacuum-sucker things … If / when connected to the internet, any of these things that many of us use on a daily basis open us up to truly helpful yet intrusive interactions. I don’t wanna be on my scale and receive ads for some weight loss clinic.
Anyways, what started out as a puerile dirty joke kinda got me thinking …
Samsung’s latest offerings (phone and watch) include a heart rate monitor. Could you hook it up like GM’s OnStar and contact emergency services if there’s a sudden change in BPM? Sure. Hell, combine it with the pedometer function and get some advice and ads targeted to your running goals / achievements.
Walk into any number of retailers today and they offer free wifi, distribute iBeacons, and track your every move through the store. Linger too long near the heartburn medicine then head to deep-fried, spicy goodness? Get a message telling you to head to fruits and veggies instead.
It’s easy to envision the day when you’re watching your smart TV, wearing your Google glasses and you suddenly receive a message from Health Canada or some political party, based on your programming choices and number of hours sitting on your duff.
My point is that there are endless possibilities and opportunities to positively impact the quality of life for all of us, by making use of technology (the devices and the data). On the other hand, how intimately do we want to be monitored and marketed to? Are we okay with having our intimate, personal, private moments being leveraged to sell us something or to advise us to take a certain course of action? How far is too far?
We bitch and moan about privacy but we demand immediacy and relevance from those selling and serving us. Personally, I’m sort of okay with being “advised” by brands when I’ve opted in. I’m not certain I’d be too cool with walking into an adult emporium and getting suggestions based on previous boudoir activities.
Last week a story was reported in the news about a stolen laptop. The laptop contained patient information for more than 620,000 Albertans. This is my response to the situation. It’s far less ranty than what was in my head before I started typing.
Last night I wrote a letter to the Alberta Privacy Commissioner (Jill Clayton), the Alberta Minister for Health (Fred Horne), and Medicentres (hope it gets to Dr. Arif Bhimji). I would have included the consultant, but he/she was simply identified as “IT Consultant”. I did copy the letter to CTV News (where I first read the story) and the Edmonton Journal.
The following links are to the stories on the CTV News site.
I’ll update this post if I hear anything from anyone involved.
Note to Medicentres – Please direct this to Dr. Arif Bhimji
I’m writing to you in regard to the theft of a laptop containing health information of approximately 620,000 Albertans.
My name is Chris Walker. I’m an Albertan whose health information may have been compromised by the above mentioned theft (I visited the St. Albert Medicentre in 2011 or 2012). I am also a consultant who specializes in Information Management and Governance.
First of all, I don’t understand why a consultant would be allowed to store personal information on his/her laptop and then leave the building with it. I’ve been a consultant for more than 25 years and have never had the need to store personal or sensitive information on a non-client controlled device, and I have never removed such information from client premises. During my career I’ve dealt with information from banks, pharmaceutical companies, provincial ministries, federal governments, municipal governments, etc. During many of those engagements I’ve had occasion to deal with extremely sensitive information. In all cases the information was stored and secured on client servers, or it was masked / redacted / sanitized before I even saw it. In the rare cases where I needed to access real information, it was always by using client hardware.
To the Consultant – I’d love to know what you were working on that you thought you needed to store live patient data on your laptop. I’d also love to know whether you were at Medicentre as an independent contractor or you were working on behalf of one of the System Integration firms. In either case, I’d love to know who you are so that, in case our paths cross, I can either educate you on how to properly handle sensitive information or make sure you’re never involved on any project that I am associated with.
To Dr. Bhimji – You need to go through those records and inform every one of the affected Albertans. Don’t put the onus on us to find out if we’ve been compromised. Be responsible and do the right thing. The fact is, as soon as you were aware of the theft you should have started identifying affected individuals and begun informing them of the situation. As it is, enough time has passed that damage may already have been done.
The complete lack of mention about the breach on your (Medicentres) website does not provide me with the sense that Medicentres is giving this matter the due it requires. That’s just my opinion as an Albertan, one of your patients, and as someone that makes a living by advising organizations about the proper management and handling of information.
That you’ve made some policy adjustments is great, however, how is that going to help any of us if our information’s been compromised? You really ought to have done something ages ago. For what it’s worth, you may also want to consider not giving access to live data to anyone that doesn’t absolutely need it to do their job. If you need some help sorting this out let me know; I’d be happy to help.
To Minister Horne – I agree that changes to legislation need to happen. I don’t think that you need to wait until the Privacy Commissioner releases her report to get started. To be frank, many changes to operating policies and procedures for managing information can be made without changing legislation at all; think of them as preventative measures.
Enacting new legislation for dealing with breaches is necessary since we’ll never have 100% security as far as sensitive information is concerned, but we also need to focus on preventing security breaches in the first place. Effective controls are far more cost effective than trying to clean up the potential messes that would occur once a breach happened.
To Commissioner Clayton – I don’t envy your position. I trust that you wanted to do the right thing, but were hampered by legislation. I hope that your investigation into this matter is fast-tracked. I encourage you to make the results of the investigation public; we have a right to know.
To All of You – I strongly suggest that you get involved with professional organizations such as AIIM (Global Community of Information Professionals) and ARMA (Association of Records Managers and Administrators). Both of these organizations are focused on managing, governing, and securing information. There are also organizations that deal specifically with information security and privacy. With the resources available to us today and with what we know about managing information, there’s just no excuse for what happened.
As someone whose information may have been compromised, I am angry. As someone who consults on Information Management and Governance, I’m incredulous that this happened considering how easy it is to prevent this type of thing. While the theft was a criminal, deliberate act, the presence of patient information on the stolen laptop was nothing more than negligence.
Update January 29, 2014 …
Much to my surprise, I did hear from Dr. Bhimji of Medicentres. Below is an excerpt from the email he sent last night. I’m happy to note that there is now mention of the privacy breach on Medicentres home page.
“I can advise that we reported the breach to the Privacy Commissioner and have worked closely with them. The Commissioner approved the form and wording of the notification.
The website is updated regularly and the information is found under the patient tab and has been present there since the announcement. I have asked the operations people to consider putting some information on the main landing page.
Patients have been advised about what measures they can take to determine if there have been any intrusions on their privacy. This information is available on our website and also by calling our call centre if you wish more detailed information.”
Update January 31, 2014
Heard from the Privacy Commissioner’s office that she will be making the results of the investigation and review public. – I’m very happy about this.
Heard from Medicentres’ folks that if you visited one of their clinics during the time period stated, you details are on the laptop that was stolen. We (the Medicentres person and I) both speculated that the theft was for the laptop, not the data, but we could be wrong.
After reading about Conservative MP Joy Smith’s pornography filter idea on the CTV News site, I decided to respond to her and David Cameron (he’s the British PM, you know). You can read about Smith’s plan here. You should also watch the video and read the comments; very entertaining.
Dear Joy and David
I think it’s great that you’re trying to protect the children, but back off, will you? It’s not your job; it’s my job as a parent.
I don’t have any problem with using legislation to keep illegal content off of the internet. I do, however, have a huge issue with government trying to keep objectionable content off the internet. You see, only I can determine for myself and my children what is objectionable. You can’t, my neighbours can’t, my community can’t, … only I can make that determination. You are heading into territory that smacks of censorship. You are advocating that government make moral decisions for citizens. You have no mandate nor right to do this.
Personally, I have no objection to pornography, as long as it depicts one or more consenting adults. I do object to any content that depicts or promotes racism, intolerance, Brussels sprouts, animal abuse, child abuse, elder abuse, Michael Jackson, Justin Bieber, spousal abuse, honour killings, violence against women, anti-gay sentiment, anti-pro-choice sentiment, … there’s a long list of things that I find objectionable. However, as long as it’s not illegal, leave it out there and let those of us with a couple of functioning brain cells decide for ourselves whether or not to check it out.
You mention that you’re proposing this to protect the children from pornography (among other things). Are you really certain that it will work? One of the issues is that parents aren’t actively filtering what their children can see when connected to the internet. What makes you think that applying a filter, which can be turned off, will change this? If Mummy or Daddy want to see naughty-naughty on the computer, they will turn the filter off and chances are that any kids using the computer will be able to view naughty-naughty because Mummy and Daddy haven’t set up the appropriate controls at the DEVICE and USER levels.
If Mummy and Daddy were smart or pro-active enough to set up the controls in the first place, the filter you propose would not be necessary. If they’re not smart or pro-active enough, the filter you propose won’t be effective because they’ll turn it off to view naughty-naughty and never control things at the user and device level.
Parents need to be more actively involved in what their children are doing online and offline. I have three children, two of whom are old enough to be computer users. I have taken the time to set up parental controls for each of them, and to monitor what they are doing online. This doesn’t mean that nothing gets by what I’ve put in place; it means that I am aware of anything getting by and I can adjust settings when I have to. It means that I actually talk to my children about their online activity. It means that I educate myself and my children about spending time online. It means that if my children come across something that disturbs or confuses them, whether or not it’s sexual, we discuss it as a family. It means that my wife and I take the time to have frank, age appropriate discussions about love and sexuality with our children. It also means that my children have more to their lives than just the internet.
Active, informed parental involvement, coupled with managing internet security settings (it’s not that hard and there are plenty of free resources and tools) will do far more to protect children from seeing porn on the internet than instituting a nanny state filter could ever hope to.
Joy and David, thanks for trying, but spend taxpayer money where it makes more sense. Education, healthcare, anti-poverty measures … these and many more initiatives can use all the money they can get. I’m fully supportive of doing whatever can be done to rid the internet of illegal content and bringing the purveyors to justice; but when it comes to censoring content that is legal, stay out of my house and off my internet.
Involved Parent & Internet User
Please note, I am not a lawyer, nor have I played one on TV (though I really liked Boston Legal). I’m also not a privacy expert, but I really value mine. Like, really value it. I mean it.
Earlier this week, March 27th to be precise, the Supreme Court of Canada ruled that authorities need a wiretap warrant to “intercept” text messages, the same as they need for listening in on phone conversations. You can read the full ruling here and you can check out CTV’s take on it here. For you non-Canadians, CTV is one of our national broadcasters.
In essence, the court opined that text messages are equivalent to an electronic conversation and should be afforded the same level of privacy. So far so good, but what I want to know is what makes communication a conversation? To my mind, a conversation occurs when one or more parties are interactively using their words and their ears. Whether the conversation occurs on the phone, in person, over computers … whatever, makes absolutely no difference. At the same time, what excludes electronic communication from being a conversation?
Is a chat via instant messaging not an electronic conversation much like text messaging? True, the devices may be different, but it was the court that stated that the technology should not matter. Are private/direct messages via social networking sites not private conversations? Is an email thread between specific individuals not sometimes a private, electronic conversation?
My point is this …
If we’re going to hold the authorities to a higher standard when they want to “listen in” on our conversations, we need to be very clear about what a “conversation” is. If text messages require a wiretap warrant (btw, what about texts stored on the device?), then so too should instant messages, private/direct messages, and some emails.
I’m in favour of providing the authorities with the tools they need to effectively deal with crime and criminals, but not at the expense of my privacy.