Tag: privacy

India’s technocracy

India’s Aadhaar national identity system is a huge and brave experiment to stamp out corruption and strengthen national security.

Buzzfeed today has an in depth look at India’s Aadhaar national identity system.

1.12 billion Indians are now enrolled in the system that’s rapidly becoming mandatory as everything from telephone companies to job interviewers demand an identification number.

Aadhar is far from without critics with warnings that the database has a rich potential for abuse and the risk of betraying Indians’ biometric data should the system be compromised.

The latter point is important as biometric data isn’t like passwords – once biometric data been compromised it can’t be changed which opens up massive possibilities for identity fraud.

Regardless of the risks, India’s state and Federal governments are pressing ahead with the system and making sure it is a fundamental part of national life. Coupled with the recent demonetisation of the economy, the nation’s governments now have a very good picture of most Indian’s lives.

For civil rights campaigners this is a worrying system while government officials and politicians claim it will stamp out fraud and strengthen national security.

India is leading the way in where many other nations are going in coming years, it would be worthwhile watching how Aadhaar develops.

The science of money and data mining

The use of data mining by private and government agencies is widespread and only going to become more so. Do we care about the consequences?

Last week I wrote a piece for Fairfax Metro – the Sydney Morning Herald and Melbourne Age – looking at how government agencies and private credit companies are mining data.

That story sparked a range of interest with my doing a twenty minute segment on ABC Brisbane today on the topic which morphed into a deeper discussion on surveillance, particularly with the Australian government’s ‘metadata’ laws.

I’ll also be talking on ABC Radio Perth on Monday, March 6 about this story at 6.15am local time (9.15am Sydney and Melbourne).

In the wake of the Australian government’s Centrelink scandala national disgrace that is only getting worse – it’s worthwhile discussing exactly what data is being gathered and how it is being used.

The answer is almost everything with commercial operators like Experian pulling in data from sources ranging from credit card applications to social media services although store loyalty cards remain the richest information source.

As the Australian Tax Office spokesperson pointed out, none of this is particularly new as they have been collecting bank deposit data since the Federal government introduced income taxes in the 1930s.

The arrival of computers in 1960s changed the scale and scope of tax offices’ abilities to track citizens’ finances and gave rise to the major commercial credit bureaus.

With the explosion of personal electronics and internet connected devices in recent years along with increased surveillance powers being granted to government and private agencies, that monitoring is only going to grow.

The best citizens can expect is to have their data protected and respected with financial providers only using what is ethical and relevant in determining our access to banking and insurance products.

Politically the only way to ensure that is to make it clear through the ballot box, the question is do we care enough?

Governments count the cost of massive data breaches

The massive Yahoo! data breach is forcing governments to come to terms with the costs of data breaches.

Slowly it’s dawning on government agencies how serious online data breaches can be. That can only be a good thing.

With a billion account details exposed the Yahoo! data breach announced last year was the greatest internet security failure to date.

Now Australian government agencies are worried about the scope of the breach and the number of politicians and officeholders whose credentials may have been affected.

Other government officials compromised include those carrying out sensitive roles such as high-ranking AFP officers, AusTrac money laundering analysts, judges and magistrates, political advisors, and even an employee of the Australian Privacy Commissioner.

The ramifications of this breach are far broader than just a few malcontents grabbing the contents of disused Yahoo! mail accounts or being able to hack Flickr profiles, many of the passwords will have been used on other services, compromised profiles linked to other platforms and the possible for identity fraud is immense.

With social media and cloud computing services coupled to these accounts, it’s quite possible for someone’s entire life to be hijacked thanks to one insecure service as Wired’s Matt Horan discovered a few years ago.

Just like individuals and businesses, the ramifications of careless organisations allowing private information to be stolen can be severe for governments. It’s right that Australian agencies are concerned about where this data has gone.

The official response to continued data breaches has been weak at best so it is good that suddenly agencies are having to face the consequences of the biggest one.

A widespread scare about insecure data may be what’s required to see governments start taking data security and citizen privacy seriously. That may be the positive side of the Yahoo! breach.

Trade offs in the smart city

Smart cities are a trade off between privacy and utility, what is the balance residents are prepared to accept?

What are the trade offs in the connected city? Last week we had an opportunity to talk with Esmeralda Swartz, Ericsson’s Vice President of Marketing Enterprise and Cloud last week about what policy makers and citizens need to consider.

One of the important issues is security in both the data being collected, “what are the benefits and what is not acceptable?” Esmeralda asks.

In all the conversations this site has had with smart city advocates the topic of open data has been essential, but this raises the issue of security. Something lacking in the Internet of Things.

“Security has to be built into every level,” says Esmeralda who flags that the IoT adds a whole range of new risks.

Along with security, a critical part of a successful connected city is having open data, Esmeralda believes.

“if you start looking at the all the layers that need to be connected then they have to be open,” she says.

Open data is a critical point for smart cities and connected communities, if information isn’t open then it’s hard for an ecosystem to develop or for residents to have confidence their data is being used for their benefit.

For companies like Ericsson, who are trying to establish themselves outside of the traditional telco model, gaining the confidence of communities and their leaders is essential to their smart city strategies.

Much of the smart city movement is based upon solutions looking for problems – a common trait of the IT industry – for vendors like Ericsson to succeed in selling their products it’s essential to prove value to their customers and gain the confidence of communities as they trade off utility for privacy.

Guessing ethnic affinity

Big data can create big risks, particularly when a service like Facebook starts racially profiling

What’s your ethnic affinity? Apparently Facebook thinks its algorithm can guess your race based upon the nature of your posts.

This application is an interesting, and dangerous, development although it shouldn’t be expected that it’s any more accurate than the plethora of ‘guess your age/nationality/star sign’ sites that trawl through Facebook pages.

Guessing your race is something clumsy and obvious but its clear that services like Google, LinkedIn and Facebook have a mass of data on each of their millions of users that enables them to crunch some big numbers and come up with all manner of conclusions.

Some of these will be useful to governments, marketers and businesses and in some cases it may lead to unforeseen consequences.

The truth may lie in the data but if we don’t understand the questions we’re asking, we risk creating a whole new range of problems.

Calculating the threat score

Applying Big Data marketing tools to law enforcement presents some risks

Forget credit scores, police are now running Threat Scores reports the Washington Post.

This isn’t surprising given the risks involved for officers attending an incident or detaining a suspect and now with treasure troves of data available, police forces and public safety agencies are able to evaluate what threats are present.

However there are real concerns about these databases and tools, particularly in how the algorithm determines what a ‘threat’ is. As the Washington Post explains one package will give a military veteran a greater risk rating as they are more likely than the general population to be suffering post traumatic stress disorder.

In promotional materials, Intrado writes that Beware could reveal that the resident of a particular address was a war veteran suffering from post-traumatic stress disorder, had criminal convictions for assault and had posted worrisome messages about his battle experiences on social media. The “big data” that has transformed marketing and other industries has now come to law enforcement.

The marketing industry’s use of Big Data has, and continues to be, problematic from a privacy and security point of view, that public agencies are using the same tools raises bigger concern.

Over time, we’re going to need rigorous supervision of how these tools are used. The stakes for individual citizens are high.

Designing a secure IoT ecosystem

Ensuring the next generation of IoT devices is secure will be one of the challenges facing the next generations of designers.

Ensuring the next generation of IoT devices is secure and a good citizen of the wider ecosystem will be one of the challenges facing the next generations of designers.

Diego Tamburini, Manufacturing Industry Strategist of design software company Autodesk, spoke to Decoding The New Economy about how the IoT will change the design industry. “We’ve been designing equipment to connect to the internet for a generation,” he said. “What’s changing is that now the addition of software, electronics, networking and communication is breeding into objects that were purely mechanical.”

Melding the physical and software worlds doesn’t come without risks however, something that worries Internet pioneer Vint Cerf who foresees headlines like ‘100,000 fridges hack the Bank of America’ in an interview with Matthew Braga of Motherboard Canada.

Apart from the fact it could be a hundred million, Cerf has good reason to be worried. Most consumer IoT devices are hopelessly insecure and the recent stories of hacked cars only emphasises the weaknesses with connected household items.

Cerf and Braga make the point the ‘I Love You’ worm of the year 2000 became a crisis because the world had reached the point where personal computers were ubiquitous. A similar piece of malware in a world where everything from kettles to wristwatches are vulnerable would be exponentially worse.

These risks put a great onus on product designers, even more so given much of the functionality is based upon those devices communicating with others across the internet and cloud services, something that Tamburini emphasised.

“One important thing that is happening with thing being connected is we are not just designing things that function in a vacuum, we’re increasingly designing members of a larger ecosystem.” Tamburini states, “now we have to think of how the product will have to connect to other products and how they will collectively perform a function.”

Part of that risk is that should those devices malfunction, either deliberately as part of a botnet or malware attack, or accidentally as we saw with the connected home being disabled due to a defective smart lightbulb flooding the network with error messages, then the wider community may be affected in ways we may not expect.

Cerf believes it’s going to take a big, catastrophic hack on a grand, connected scale before a shift in security begins to happen, and before people begin to even consider that such a vulnerabilities even exist.

If that’s the case, it will be that society has ignored the clear warning signs we’ve seen from events like the Jeep hack and the Stuxnet worm, not to mention the massive privacy breaches at Target and Sony. For designers of these systems hardening them is going to be an essential part of making them fit for today and the future.

Apple CEO Tim Cook on Privacy and Profits

Apple CEO Tim Cook discusses privacy, profits and cars with NPR’s All Things Considered

“Privacy is a fundamental human right”. A short, but sweet and fascinating, NPR interview with Apple CEO Tim Cook.

Cook goes onto to avoid discussing the likelihood of Apple Cars and expounds the advantages of repatriating corporate profits back to the US, something we can expect cash rich companies like Apple to start agitating for after the next Presidential election.

The interview, which is only eight minutes long, is well worth a listen as Apple positions itself against competing internet giants Google and Facebook over the topic of privacy.

 

Experian, T-Mobile and third party security risk

T-Mobile’s security woes at the hands of Experian show trust cannot be outsourced

Another day, another corporate security breach (or six). This time telco T-Mobile has revealed up to 15 million customers’ data has been compromised.

Notable in this story is that T-Mobile are firmly putting the blame on credit monitoring company Experian.

For both companies this is extremely embarrassing with T-Mobile stating, “our vendors are contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the Experian network.”

T-Mobile, like most telcos, sees a major opportunity in being a trusted provider of security services and this setback hurts them in a key market.

Experian on the other hand have shown their slack attitude to user data previously, having been caught selling consumer details to identity thieves.

That a company in such a privileged position as Experian can be constantly caught this way will almost certainly increase the push to see penalties for corporate data breaches start to get real teeth and the United States’ cavalier attitude to public privacy and online security will take another dent.

For T-Mobile and most other companies, the lesson is start and clear. Trust starts with your own contractors and business partners, it cannot be outsourced.

The need for an IoT manifesto

As the internet of things rolls out, more care in the design of products and services will be needed

Last May at the ThingsCon conference in Berlin a group of European designers came together to form the IoT Manifesto.

Now vendors have the ability to put a chip into almost anything companies and designers are tempted to add connectivity simply for the sake of doing so.

In many cases this is opens up a range of security risks ranging from the screaming baby monitor to the hackable jeep.

Coupled with the security risks of your intimate devices being hacked there’s the related privacy risks as millions of devices collect data ranging from how hard you press your car’s brake pedal through to last time you burned your breakfast toast.

In an era where governments and businesses are seeking to amass even more information about us, there are genuine concerns about what that data is going to be used for and why it is being collected in the first place.

The IoT manifesto looks to manage these problems facing the sector through ten guiding design principles;

  1. Don’t believe the hype around the IoT
  2. Only design useful things
  3. Deliver benefits to all stakeholders
  4. Keep everything secure
  5. Promote a culture of privacy
  6. Gather only a minimal amount of data
  7. Be transparent about who that data will be shared with
  8. Give users control over their data
  9. Design durable products
  10. Use the IoT and its design to help people

All of the principles are laudable and it’s not hard to think that meeting the guidelines would make devices and services that aren’t just useful and safe but also simpler, cheaper and more effective.

There’s many ethical, business and safety issues facing the Internet of Things as connected devices rollout across almost every industry. The IoT Manifesto may well be a good framework in which to design them and the cloud services they’ll depend upon.

How the Internet of Things could overtake the law

The internet of things is going to present challenges for governments and regulators.

Last March the Australian internet industry celebrated twenty years of commercial operations with the Rewind/Fast Forward conference that looked at the evolution of the online economy down under and its future.

Naturally the Internet of Things was an important part of the discussion looking at the internet’s future and one of the panels examined the effects of the IoT on industry and society.

During the session chairman of the Communications Alliance industry association, John Stanton, raised an important point about how the IoT creates problems for existing laws and the regulators as a wave of connected devices are released onto the market place.

The risks are varied, and Stanton’s list isn’t exhaustive with a few other aspects such as liability not explored while some of the issues he raises are a problem for other internet based services like cloud computing and social media.

Roaming rules

Having fought many regulatory battles over roaming charges and access between networks, it’s not surprising Stanton and the Communications Alliance would raise this as an issue.

Dealing with roaming devices will probably be a big challenge for mobile Machine to Machine (M2M) technologies, particularly in the logistics, airline and travel industries. We can expect some bitter billing battles between clients and their providers before regulators start to step in.

Number schemes

Again this is more an issue for mobile M2M consumers. Currently every SIM card has its own phone number once the service is activated.  It may be that regulators have to revise their numbering schemes or allow providers to use alternative addressing methods to contact devices.

Data sovereignty

Where data lives is going to continue to be a vexed issue for cloud computing consumers, particularly given the varied laws between nations.

Short of an international treaty, it’s difficult to see how this problem is going to be resolved beyond companies learning to manage the risks.

Identity management

Data integrity is essential for the IoT and accurately determining the identity of individuals and devices is going to be a challenge for those designing systems.

Over time we can expect to see some elegant and clever solutions to identity management in the IoT however masquerading as a legitimate device will always be a way malicious actors will try to hack systems.

Privacy

For domestic users, the privacy of what remains in data stores is going to be a major concern as domestic devices and wearables gather greater amounts of personal information. We can expect laws to be tightened on the duties and obligations of those collecting the data.

Access Security

Who can do what with a networked device is another problem, should a malicious player or a defective component get onto the system, the damage they can do needs to be minimised. What constitutes unlawful access to a computer network and the penalties needs to be carefully thought out.

Spectrum allocation and cost

Governments around the world have been reaping the rewards of selling licenses to network operators. As the need for reliable but low data usage IoT networks grows, the economics of many of the existing licenses changes which could present challenges for both the operators and governments.

Access to low cost and low data access networks

Following on from the economics of M2M networks, the question of mandating slicing of scarce spectrum for IoT applications or reserving some frequencies becomes a question. How such licenses are granted will cause much friction and many headaches between regulators and operators.

Commercial value of information

How much data is worth will always be a problem in an economy where information is power and money. This though may turn out to be more subtle as information is only valuable in the eyes of the beholder.

Where information becomes particularly valuable is in financial markets and highly competitive sectors so we can see the IoT becoming part of insider trading and unfair competition actions. These will, by definition, be complex.

Like any new set of technologies the internet of things raises a whole new range of legal issues as society adapts to new ways of doing business and communicating. What we’re going to see is a period of experimentation with laws as we try to figure out how the IoT fits into society.

Clawing back our data – Telstra makes metadata available to customers

Australia’s Telstra responds to government data legislation by opening metadata to users

Today Australian incumbent telco announced a scheme to give customers access to their personal metadata being stored by the company.

In a post on the company’s Telstra Exchange blog the company’s Chief Risk Officer, Kate Hughes described how the service will work with a standard enquiry being free through the web portal with more complex queries attracting of fee of $25 or more.

The program is a response to the Australian Parliament’s controversial intention to introduce a mandatory data retention regime which will force telcos and ISPs to retain a record of customer’s connection information.

We believe that if the police can ask for information relating to you, you should be able to as well.

At present the scheme is quite labor intensive, a request for information involves a great deal of manual processing under the company’s current systems however Hughes is optimistic they will be able to deal with the workload.

“We haven’t yet built the system that will enable us to quickly get that data,” Hughes told this website in an interview after the announcement. “If you came to us today and asked for that dataset it wouldn’t be a simple request.”

The metadata opportunity

In some respects the metadata proposal is an opportunity for the company to comply with the requirement of the Australian Privacy Principles that were introduced last year where companies are obliged to disclose to their customers any personally identifiable information they hold.

For large organisations like Telstra this presents a problem as it’s difficult to know exactly what information every arm of the business has been collecting. Putting the data into a centralised web portal makes it easier to manage the requirements of various acts.

That Telstra is struggling with this task illustrates the problems the data retention proposals present to smaller companies with far fewer resources to gather, store and manage the information.

Unclear requirements

Another problem facing Hughes, Telstra and the entire Australian communications industry is no-one is quite clear exactly what data will be required under the act, the legislation proposed the minister can declare what information should be retained while the industry believes this should be hard coded into the act which will make it harder for governments to expand their powers.

What is clear is that regardless of what’s passed into law, technology is going to stay ahead of the legislators, “I do think though this will be very much a ‘point in time’ debate,” Hughes said. “Metadata will evolve more quickly than this legislation can probably keep pace with so I think we will find ourselves back here in two years.”

In many ways Australia’s metadata proposals illustrates the problems facing governments and businesses in managing data during an era where its growing exponentially, it may well turn out for telcos, consumers and government agencies that ultimately less is more.