5 Thoughts – The Ashley Madison Hack


cube-482035_640As most of you know by now, Ashley Madison (“Ashley Madison is the most famous name in infidelity and married dating.” quote from their site) was hacked last month and much of the data the hackers stole was released this week, on the dark web. Like many of you, I’ve been reading bits and pieces of the saga. Anyway, here’s five things that struck me about the whole affair:

  1. With a 6:1 ratio of men to women, a guy’s chance of “getting some” via AM are slightly less than they were in high school.
  2. Anyone (private sector, public sector, military, whatever) stupid enough to use a work email address and corporate assets (computer, network) to access AM ought to be dealt with according to corporate acceptable use policies and morals clauses in their employment contracts. It’s akin to using corporate assets to surf porn; just don’t. For what it’s worth, I don’t believe that morals clauses belong in employment contracts. We’re all adults and what I do on my own time is none of my employer’s (I don’t actually have one) business, provided it can’t be linked back to an employer and cover them in poop.
  3. There are a lot of morally superior and judgemental people on the planet. What they’re losing sight of is: 1 – Other people’s lives that don’t affect you are none of your ******* business; 2 – the hack was a criminal act. FULL. STOP.
  4. If what the hackers allege about AM’s security and not cleaning out data is true, the folks at AM are monumentally, irredeemably, irrefutably stupid and negligent.
  5. Lawyers and lawsuits – that didn’t take long. Tied with “Holy crap did we all of a sudden get a lot of downloads”, said the folks responsible for the TOR browser.

Apologies for jumping on the bandwagon and adding to the nonsense.

The Sky’s NOT Falling – A Missed Opportunity


sky-is-fallingI read Use of File-Sharing Service Leads to $218,400 Fine for HIPAA Violation this morning (2015-07-17); it set me off.

I have no issue with the facts as reported in the article; what I do have issue with is the complete lack of balance. The article is written by Eric Packel of BakerHostetler (law firm in a buncha U.S. cities). As a lawyer, as someone who advises and counsels, he should know better than to leave things as they ended in the article. Yes, the company in question screwed up by stuffing a bunch of sensitive data in what I can only assume was a consumer-grade or mickey mouse type of cloud based file sharing system. They got what they deserved, hopefully learned a lesson, and hopefully not too many patients were compromised or inconvenienced.

No, what really, REALLY irks me about the article is that Eric did not conclude with concrete advice on how to prevent this type of situation. As a consultant, it’s my obligation to provide advice whether it’s directly on a client engagement or when I’m writing a post or article; and I hope I meet that obligation. The author of that article has the same obligation as I do, albeit at multiples of my billing rate.

It would have taken about three minutes to write a closing paragraph along the lines of …

“Hey! Don’t let this happen to you. There are many, many (130+ according to Alan Pelz-Sharpe until he stopped counting) cloud-based storage and sharing services out there. Pick one that’s certified for [whatever you need] and go. And don’t forget – you can outsource data but you can’t outsource accountability (paraphrasing Ann Cavoukian – former Info & Privacy Commish for Ontario).”

… how hard was that?

As it is, Eric feeds the FUD (fear – uncertainty – doubt). The cloud deniers have another “holy cow look what happens when you store stuff in the cloud!” incident to feed their paranoia.

Eric, buddy, you missed a glorious opportunity to make your point and educate the market a bit.

Internet of Intimate Things


Last week I read this news story about vaginal rejuvenation surgery very closely (time wise) after seeing some Twitter items about the Internet of Things. I’m one of these people that draws mental connections between things, but I also tend to have a very juvenile sense of humour (there’s a horny adolescent lurking in here somewhere). Of course, I naturally thought “Hey! Marital aids should be connected to the internet.”

Now, I’m not 100% certain, but I’m pretty certain that there’s a few OBGYN’s out there who could team up with some sensor manufacturer and an adult toy manufacturer to build a marital aid that could measure what’s measurable and significant in helping to diagnose women’s health issues, then hook it to the web and send the stats (properly secured) to healthcare providers. Up the creep factor a bit and you’ve got some pretty intimate, 1-1 advertising opportunities there, too. I’m not certain that’s a good idea, though. Remember the retailer that told some teenager’s dad that she was pregnant? That didn’t go so well.

Scales, electric toothbrushes, thermometers, ear wax vacuum-sucker things … If / when connected to the internet, any of these things that many of us use on a daily basis open us up to truly helpful yet intrusive interactions. I don’t wanna be on my scale and receive ads for some weight loss clinic.

Anyways, what started out as a puerile dirty joke kinda got me thinking …

Samsung’s latest offerings (phone and watch) include a heart rate monitor. Could you hook it up like GM’s OnStar and contact emergency services if there’s a sudden change in BPM? Sure. Hell, combine it with the pedometer function and get some advice and ads targeted to your running goals / achievements.

Walk into any number of retailers today and they offer free wifi, distribute iBeacons, and track your every move through the store.  Linger too long near the heartburn medicine then head to deep-fried, spicy goodness? Get a message telling you to head to fruits and veggies instead.

It’s easy to envision the day when you’re watching your smart TV, wearing your Google glasses and you suddenly receive a message from Health Canada or some political party, based on your programming choices and number of hours sitting on your duff.

My point is that there are endless possibilities and opportunities to positively impact the quality of life for all of us, by making use of technology (the devices and the data). On the other hand, how intimately do we want to be monitored and marketed to? Are we okay with having our intimate, personal, private moments being leveraged to sell us something or to advise us to take a certain course of action? How far is too far?

We bitch and moan about privacy but we demand immediacy and relevance from those selling and serving us. Personally, I’m sort of okay with being “advised” by brands when I’ve opted in. I’m not certain I’d be too cool with walking into an adult emporium and getting suggestions based on previous boudoir activities.

My Reaction – Laptop Stolen – 620K Patient Records Compromised


Last week a story was reported in the news about a stolen laptop. The laptop contained patient information for more than 620,000 Albertans. This is my response to the situation. It’s far less ranty than what was in my head before I started typing.

Last night I wrote a letter to the Alberta Privacy Commissioner (Jill Clayton), the Alberta Minister for Health (Fred Horne), and Medicentres (hope it gets to Dr. Arif Bhimji). I would have included the consultant, but he/she was simply identified as “IT Consultant”. I did copy the letter to CTV News (where I first read the story) and the Edmonton Journal.

The following links are to the stories on the CTV News site.

I’ll update this post if I hear anything from anyone involved.

http://edmonton.ctvnews.ca/laptop-containing-health-information-for-thousands-stolen-province-seeking-investigation-1.1651500

http://edmonton.ctvnews.ca/privacy-commissioner-frustrated-after-laptop-with-personal-information-stolen-1.1653696

This is a bonus story – http://edmonton.ctvnews.ca/patient-information-stolen-from-covenant-health-1.1656104#commentsForm-478263

Note to Medicentres – Please direct this to Dr. Arif Bhimji

I’m writing to you in regard to the theft of a laptop containing health information of approximately 620,000 Albertans.

My name is Chris Walker. I’m an Albertan whose health information may have been compromised by the above mentioned theft (I visited the St. Albert Medicentre in 2011 or 2012). I am also a consultant who specializes in Information Management and Governance.

First of all, I don’t understand why a consultant would be allowed to store personal information on his/her laptop and then leave the building with it. I’ve been a consultant for more than 25 years and have never had the need to store personal or sensitive information on a non-client controlled device, and I have never removed such information from client premises. During my career I’ve dealt with information from banks, pharmaceutical companies, provincial ministries, federal governments, municipal governments, etc. During many of those engagements I’ve had occasion to deal with extremely sensitive information. In all cases the information was stored and secured on client servers, or it was masked / redacted / sanitized before I even saw it. In the rare cases where I needed to access real information, it was always by using client hardware.

To the Consultant – I’d love to know what you were working on that you thought you needed to store live patient data on your laptop. I’d also love to know whether you were at Medicentre as an independent contractor or you were working on behalf of one of the System Integration firms. In either case, I’d love to know who you are so that, in case our paths cross, I can either educate you on how to properly handle sensitive information or make sure you’re never involved on any project that I am associated with.

To Dr. Bhimji – You need to go through those records and inform every one of the affected Albertans. Don’t put the onus on us to find out if we’ve been compromised. Be responsible and do the right thing. The fact is, as soon as you were aware of the theft you should have started identifying affected individuals and begun informing them of the situation. As it is, enough time has passed that damage may already have been done.

The complete lack of mention about the breach on your (Medicentres) website does not provide me with the sense that Medicentres is giving this matter the due it requires. That’s just my opinion as an Albertan, one of your patients, and as someone that makes a living by advising organizations about the proper management and handling of information.

That you’ve made some policy adjustments is great, however, how is that going to help any of us if our information’s been compromised? You really ought to have done something ages ago. For what it’s worth, you may also want to consider not giving access to live data to anyone that doesn’t absolutely need it to do their job. If you need some help sorting this out let me know; I’d be happy to help.

To Minister Horne – I agree that changes to legislation need to happen. I don’t think that you need to wait until the Privacy Commissioner releases her report to get started. To be frank, many changes to operating policies and procedures for managing information can be made without changing legislation at all; think of them as preventative measures.

Enacting new legislation for dealing with breaches is necessary since we’ll never have 100% security as far as sensitive information is concerned, but we also need to focus on preventing security breaches in the first place. Effective controls are far more cost effective than trying to clean up the potential messes that would occur once a breach happened.

To Commissioner Clayton – I don’t envy your position. I trust that you wanted to do the right thing, but were hampered by legislation. I hope that your investigation into this matter is fast-tracked. I encourage you to make the results of the investigation public; we have a right to know.

To All of You – I strongly suggest that you get involved with professional organizations such as AIIM (Global Community of Information Professionals) and ARMA (Association of Records Managers and Administrators). Both of these organizations are focused on managing, governing, and securing information. There are also organizations that deal specifically with information security and privacy. With the resources available to us today and with what we know about managing information, there’s just no excuse for what happened.

As someone whose information may have been compromised, I am angry. As someone who consults on Information Management and Governance, I’m incredulous that this happened considering how easy it is to prevent this type of thing. While the theft was a criminal, deliberate act, the presence of patient information on the stolen laptop was nothing more than negligence.

Sincerely,

Chris Walker

Update January 29, 2014 …

Much to my surprise, I did hear from Dr. Bhimji of Medicentres. Below is an excerpt from the email he sent last night. I’m happy to note that there is now mention of the privacy breach on Medicentres home page.

I can advise that we reported the breach to the Privacy Commissioner and have worked closely with them.  The Commissioner approved the form and wording of the notification.  

 The website is updated regularly and the information is found under the patient tab and has been present there since the announcement.  I have asked the operations people to consider putting some information on the main landing page.

 Patients have been advised about what measures they can take to determine if there have been any intrusions on their privacy.  This information is available on our website and also by calling our call centre if you wish more detailed information.

 

Update January 31, 2014

Heard from the Privacy Commissioner’s office that she will be making the results of the investigation and review public. – I’m very happy about this.

Heard from Medicentres’ folks that if you visited one of their clinics during the time period stated, you details are on the laptop that was stolen. We (the Medicentres person and I) both speculated that the theft was for the laptop, not the data, but we could be wrong.

Block Porn? Don’t Bother


After reading about Conservative MP Joy Smith’s pornography filter idea on the CTV News site, I decided to respond to her and David Cameron (he’s the British PM, you know). You can read about Smith’s plan here. You should also watch the video and read the comments; very entertaining.

Dear Joy and David

I think it’s great that you’re trying to protect the children, but back off, will you? It’s not your job; it’s my job as a parent.

I don’t have any problem with using legislation to keep illegal content off of the internet. I do, however, have a huge issue with government trying to keep objectionable content off the internet. You see, only I can determine for myself and my children what is objectionable. You can’t, my neighbours can’t, my community can’t, … only I can make that determination. You are heading into territory that smacks of censorship. You are advocating that government make moral decisions for citizens. You have no mandate nor right to do this.

Personally, I have no objection to pornography, as long as it depicts one or more consenting adults. I do object to any content that depicts or promotes racism, intolerance, Brussels sprouts, animal abuse, child abuse, elder abuse,  Michael Jackson, Justin Bieber, spousal abuse, honour killings, violence against women, anti-gay sentiment, anti-pro-choice sentiment, … there’s a long list of things that I find objectionable. However, as long as it’s not illegal, leave it out there and let those of us with a couple of functioning brain cells decide for ourselves whether or not to check it out.

You mention that you’re proposing this to protect the children from pornography (among other things). Are you really certain that it will work? One of the issues is that parents aren’t actively filtering what their children can see when connected to the internet. What makes you think that applying a filter, which can be turned off, will change this? If Mummy or Daddy want to see naughty-naughty on the computer, they will turn the filter off and chances are that any kids using the computer will be able to view naughty-naughty because Mummy and Daddy haven’t set up the appropriate controls at the DEVICE and USER levels.

If Mummy and Daddy were smart or pro-active enough to set up the controls in the first place, the filter you propose would not be necessary. If they’re not smart or pro-active enough, the filter you propose won’t be effective because they’ll turn it off to view naughty-naughty and never control things at the user and device level.

Parents need to be more actively involved in what their children are doing online and offline. I have three children, two of whom are old enough to be computer users. I have taken the time to set up parental controls for each of them, and to monitor what they are doing online. This doesn’t mean that nothing gets by what I’ve put in place; it means that I am aware of anything getting by and I can adjust settings when I have to. It means that I actually talk to my children about their online activity. It means that I educate myself and my children about spending time online. It means that if my children come across something that disturbs or confuses them, whether or not it’s sexual, we discuss it as a family. It means that my wife and I take the time to have frank, age appropriate discussions about love and sexuality with our children. It also means that my children have more to their lives than just the internet.

Active, informed parental involvement, coupled with managing internet security settings (it’s not that hard and there are plenty of free resources and tools) will do far more to protect children from seeing porn on the internet than instituting a nanny state filter could ever hope to.

Joy and David, thanks for trying, but spend taxpayer money where it makes more sense. Education, healthcare, anti-poverty measures … these and many more initiatives can use all the money they can get. I’m fully supportive of doing whatever can be done to rid the internet of illegal content and bringing the purveyors to justice; but when it comes to censoring content that is legal, stay out of my house and off my internet.

Cheers!

Chris Walker

Involved Parent & Internet User

Supreme Court of Canada Gets Privacy Call Right: Let’s Keep Going


Please note, I am not a lawyer, nor have I played one on TV (though I really liked Boston Legal). I’m also not a privacy expert, but I really value mine. Like, really value it. I mean it.

Earlier this week, March 27th to be precise, the Supreme Court of Canada ruled that authorities need a wiretap warrant to “intercept” text messages, the same as they need for listening in on phone conversations. You can read the full ruling here and you can check out CTV’s take on it here. For you non-Canadians, CTV is one of our national broadcasters.

In essence, the court opined that text messages are equivalent to an electronic conversation and should be afforded the same level of privacy. So far so good, but what I want to know is what makes communication a conversation? To my mind, a conversation occurs when one or more parties are interactively using their words and their ears. Whether the conversation occurs on the phone, in person, over computers … whatever, makes absolutely no difference. At the same time, what excludes electronic communication from being a conversation?

Is a chat via instant messaging not an electronic conversation much like text messaging? True, the devices may be different, but it was the court that stated that the technology should not matter. Are private/direct messages via social networking sites not private conversations? Is an email thread between specific individuals not sometimes a private, electronic conversation?

My point is this …

If we’re going to hold the authorities to a higher standard when they want to “listen in” on our conversations, we need to be very clear about what a “conversation” is. If text messages require a wiretap warrant (btw, what about texts stored on the device?), then so too should instant messages, private/direct messages, and some emails.

I’m in favour of providing the authorities with the tools they need to effectively deal with crime and criminals, but not at the expense of my privacy.

BYOD – Run What Ya Brung


This was originally posted on the AIIM Community on 2012-05-30.

In the interests of full disclosure; I use a corporately issued laptop, a self-provisioned smartphone (employer pays service), a self-provisioned tablet, and a personal laptop. My tablet, while being hugely convenient and making my life easier, is not necessary for me to live or work. This post was written using my personal laptop and tablet. I used MS Word and OnCloud to write it. The Word file is stored on Google Drive. Yeah, I believe in BYOD (Bring Your Own Device). I also think the cloud’s a good thing.

One day I’d really like to see what percentage of the overall workforce really needs to bring their own device to work, or would even benefit (need vs want) from doing so. 9-5ers, bank tellers, receptionists (can we still call them that?), gov’t front counter staff, fast food employees, gas station attendants, call centre staff, billing clerks, accounts payable clerks, refuse collection agents, … these and a whole bunch more jobs have no stake in BYOD.

Anyone whose work ties them to a desk, executing fairly structured tasks can get by quite nicely with whatever hardware their employer has plunked down for them (assumes that HW and apps are suitable for the job). Oh, they may want to bring in their tablets or smartphones, load up on apps, and do their work from the sidewalk while having a cigarette. But I really don’t give a rat’s ass and neither should you. Can you honestly tell me that someone who processes invoices is going to benefit from being able to do so on a tablet instead of on a PC? I thought not.

Don’t get me wrong; I am not diminishing the value of the jobs that people do or what they contribute to their organizations and/or society at large. What gets me is this whole consumerization of IT thing that’s going on. The next time you hear “I have such cool gadgets at home, why can’t I have them at work?”, consider this answer; “YOU DON”T BLOODY NEED IT!!!”. You know what they need? They need the right information, proper training & support, a decent organizational culture, paths for self-fulfilment, and recognition that what they do means something.

On the other hand, there are many job functions that can definitely benefit from BYOD. Most of you reading this are probably in one. I’m in one of those roles, but there’s still lots of stuff that I need to do at work that can’t get done on my phone or tablet. When I say that, I mean it’s either just not possible or so cumbersome as to be not worth the effort. Taking meeting notes, writing docs, & emailing are all pretty good on my tablet, a little less so on my phone. Running demos, drawing diagrams, entering timesheets, and doing expenses just can’t be done. That does not mean I will give up my tablet or phone. Hell no! What it means is that unless my job changes I am going to have to be content with running multiple devices to get my job done. Oh, I could just go back to using only my laptop, but that would be silly.

Assuming BYOD is the right path …

Security and privacy are major concerns. What’s going to happen if someone loses their tablet or phone? What’s going to happen if there is a discovery order or FOI request and employee procured devices are in scope? Employees who use their own devices are going to be accessing & storing corporate content as well as personal content on the same device. Some of them are going to let friends and family use those devices for all sorts of stuff. You can’t tell your employees not to because they paid for the devices. What are you gonna do about it?

One of the really nice things about having a tablet or smartphone is that I can be mobile. That means that I don’t need to be connected to my corporate LAN and I can still get the stuff I need to do my work. Not all the stuff, but most of it. It’s not just content that I’m referring to, it’s applications as well. If you’re going to make a move to BYOD it’s on your shoulders to make sure that your team has access to the content, applications, and processes that they need to do the job. If your BYOD is limited to a single platform (e.g.: iOS) you may be lucky because you’ll only need to provision apps that work on a limited set of devices. If, however, you’re going true BYOD, well … you could run into some difficulty. Not only are you going to have to deal with security and privacy issues, you’ll also have to get into the app development business, unless there are already apps available from the usual sources (which I really doubt). I’ve used apps developed by organizations that theoretically work across multiple devices; many have fallen short and the user experience simply sucks. Oh, those apps you’re going to build will have to be integrated to those line of business systems your organization runs to get stuff done. Think of them as additional UI’s and functions that you’ll need to build, maintain, and support.

Another nice thing about BYOD, depending on your perspective, is that lotsa people have their favourite device(s) with them pretty much all the time. That means they can respond to stuff from bed, the beach, while watching TV, while watching the kids at the playground (saw this woman almost get smoked by her kid on a swing while she was occupied with her iPhone – yes, I would have laughed), what/where/whenever. It’s really cool that you can get someone to respond at anytime, but remember that YOU ARE INFRINGING ON THEIR PERSONAL TIME. Granted that it’s likely their fault because they’re using the same device to watch Formula 1 videos on Youtube and respond to RFP’s but you can’t do anything about it because I bought the device so there. Nyah. Nyah, nyah! Sorry. Anyways, there are times that folks need to respond immediately, and BYOD certainly facilitates this. But, there are also time when folks need to chill without worrying about work. You’re the boss so I expect you to set the right tone and provide the right example.

So what’s my point? BYOD is a good thing in the right circumstances. Refuse collection specialists won’t benefit, but knowledge workers and field staff likely will. It’s also a pretty safe bet that if you allow your people to work with tools that they actually like and see as cool, they’ll be a bit happier and maybe even a bit more productive.

BYOD is appropriate based on the role, not the organization. In my job as a consultant it’s perfectly reasonable to allow me to use whatever device I choose. However, the same can’t be said for the people that process invoices, even though they bring as much value to the organization as anyone else. Have at ‘er and consider the following before going all BYOD:

  1. Are devices your major issue? You’re freakin’ lucky if they are. Most orgs have way more serious stuff going on than what can be solved by allowing someone to do their job on a tablet.
  2. Can you secure your stuff properly? My wife doesn’t want to see quarterly sales projections and my boss doesn’t want to see my wife & I [fill in the blank with whatever you want, you dirty devil, you].
  3. Do you want to get into app development? You do? How many platforms & form factors & screen sizes/resolutions do you want to develop for? Oh, and support? And maintain?
  4. Privacy. Closely related to the security thing. Yes, they are different. Go look it up if you don’t believe me.
  5. If you go BYOD, can your users still access everything they need to do their work?
  6. What’s the impact to employee working hours going to be? They’ll have the gadgets with them 24/7, will you expect them to be available/reactive 24/7? Shame on you if you will.

I’m not saying that BYOD is a bad thing, just think about it a bit before you commit.

%d bloggers like this: