Excellent written article by Bruce Schneier on the importance of audits and auditability especially today.
Archive
Category: GovernmentThere is plenty of information available on Bill C-61 (the proposed Canadian Copyright legislation) on the Internet. Michael Geist, who for all intensive purposes is leading the charge in educating the public and helping everyone become aware and understand the issue recently presented at a strategy session. If you want a 30 minute summary of the history and where we are at today I’d recommend taking some time to listen to it. Michael is a great speaker and he’s doing an excellent job getting the message out in clear and simple terms that just about anyone can understand, even if you have no background in copyright issues. I’d strongly suggest his blog for information and links to other good sources of information on this issue.
In listening to his talk, it confirmed that I personally am up to date on the issue. At one point Michael mentioned being characterized by a government individual as a “Pro User Zelot.” This made me smerk. I don’t know Michael personally, but the last word I would pick is a “Zelot”. I find him to be extremely reasonable and understanding of all sides of this issue.
Another interesting comment was made during the question and answer section at the end of the talk by a government individual. I couldn’t catch his name in the audio, but he spoke about “practical politics” and what people have to do to make the conservative government ‘care’. I am sure what he said is very true, and it really saddened me that what he said was correct. Of course deep down I know this to be true, but one can always hope it is not. To paraphrase the statement … ‘unless the issue is going to have enough momentum to change votes to the point of affecting the party they will just ride it out’. Another comment made by this person that caught my attention was
“If you accept the process then you are already done because the process is designed to go through.”
I have commented on this before here and here. EFF just posted a blog entry discussing The Statement of Lee Tien. He testified in a Senate hearing outlining the dangers of random searches of traveler’s digital devices. It is worth the read for those interested.
Although this applies to U.S citizens and the U.S. I suspect whatever the outcome of the permissibility of random searches of electronic devices, someone like myself entering the U.S. as a visitor would be under different rules. My concern is that they are willing to execute random searches period including the copying and imaging of data ‘just because’. And it isn’t just the U.S. either like many claim. With ACTA, random border searches of electronic devices are coming soon to Canada and other participating countries.
A few years ago, I was involved with a client that had a legal case against a Government. My laptop contained data that I was providing analysis on that affected the case. What if the government was to just image my laptop? They would now have information that they should not be privy to. That is bad. It under minds the legal system of all countries involved.
Any sensitive data on my laptop is encrypted and I consciously make sure that a forensic search won’t reveal the passphrases or anything like that. It annoys me that I have to worry about and deal with this prior to travel. The last few months due to ACTA, I now remove any sensitive client data from my laptop till I reach the hotel and then securely download what I need. Some say this is just silly. Most if not all of the data on my laptop I really don’t care if they saw or copied it, nothing really bad or incriminating about it — its the principle I guess.
I’m thinking about going a step further. Take a laptop that has nothing on it, and an O/S that runs from a CD or DVD. Boot off the DVD, download the data you need. Prior to travel back home, upload the data, and forensically wipe the hard drive.
If there is valid suspicion that an individual is doing something which could harm others or is illegal, search away. But random searches just because you can? I’m starting to feel like some of those old Russian movies I watched as a child, where you had to carry “papers” to show officials if requested. Not a free society.
In Canada most citizens will have a Soical Insurance Number, commonly referred to as a SIN number. I recall getting mine when I was a teenager and was going to start working. Nowadays, you get one almost as soon as you are born. My daughter obtained one within months of her birth. I recall that, because I was surprised and for some reason I recall it was required. Of course, that immediately triggered thoughts of why do they need to do this now? Tracking? More detailed history of people? These and other conspiracy thoughts went through my mind.
Here is an article about an individual in Ontario, Canada, who was the culprit of identify theft through no fault of his own. The government, unable to properly secure sensitive information had his identity stolen. In the article it is stated:
“I don’t want any money — not a dime,” he said. “I just want a new social insurance number so that I can disassociate myself from the fraud and start my life over again.”
Seman said he has been fighting for a new SIN number in writing, in person and on the telephone for five years, but hasn’t been able to get one.
“How hard can it be?” he said.
Unfortunately, very hard. This is very difficult and expensive problem, and even trying to solve it will not guarantee a solution. Today, a SIN number is the one thing that connects you the most. Almost any form you send to the government will have your SIN number. This number will be linked with all medical information on procedures that you have had, doctors you have seen, prescriptions you have been given. Financial corporations require it for financial transactions, bank accounts, mortgages, loans, stock trading. It is the key to your credit rating. Companies you work for require so they can submit income and other financial information to the government. This one number links you throughout the government, throughout the medial and financial worlds both in public and private databases and paper file systems. It really is a ‘key’ to finding out everything about you. And that is exactly how it is used.
In order to offer the ability to change your SIN number, the government would have to have a way to change every record in every database both public and private. It would have to be able to change this number on forms and records that have been filled out that are not electronic. If any mistake is made, then information on you is effectively lost. For example, suppose you were rushed to a hospital unconscious from a car accident. From the Identification on you, a drivers license confirmed your identity, which led them to your SIN number. The SIN number permitted the hospital to pull your medial records. Now suppose you had your SIN number changed, and a major medical procedure you had a few years ago at a medical facility did not change the SIN number. That information is now lost and is not available to the medical staff getting ready to treat you in the current emergency situation. One could argue that they can use name, birth date, and other details to find the required information. Although this is somewhat true, it is not as guaranteed as a SIN number. The SIN number is the best assurance of the accuracy of the linking of the information. Is this a bad thing? Maybe or maybe not.
The risk of giving individuals the ability to have their SIN number changed is not worth the overall risk or not being able to gather information or missing information by government, law enforcement and any one else looking to obtain details about you. That is why the solution is to give you negligible amounts of money, and offer you free credit report checking. It is easier and much less risky. Currently the number of people that have their identity stolen versus those that don’t is small.
Of course identity theft will only increase and this problem will get worse. Eventually, they will be forced to deal with it on a global scale. There are procedures I believe to obtain a new SIN number. Witness protection program and things of that nature, but these are very few scenarios, few people and are manageable.
Today, the problem is expensive to solve, difficult to solve with no guarantees of not having information lost, and it affects a few minor people’s lives. Government response is unfortunate, but logical. Personally, I don’t agree with it, but until it gets more visibility either by many more people being affected or a few very public people having their identities stolen not much will happen beyond the preventative steps you see today.
This post is to keep a list of some of the net neutrality issues that I may need to refer to at some point.
- Rob Topolski created a summary video with comments presented to the FCC hearing at Standford University on Apr 17, 2008. It is here.
The CBC show SearchEngine has the following:
- April 17, 2008 Part II of the Internet bill of rights. Podcast located here.
- April 10, 2008 hosted a podcast on the Internet bill of rights. Podcast is here.
Looks like Bill C-10 does not even have a problem it is trying to solve with respect to the ability to deny grant money to any film based on some ‘guidelines’ according to Andrew House, spokesperson for the Heritage minister. Makes me even more suspicious. The Star article is here.
Kaizen is a Japanese term that means continuous improvement. I’ve heard it used in business many times and with slightly different interpretations. The most interesting business version was a particular company I consulted for that wanted to impose a new licensing scheme. The problem was to just impose it on their customers would be bad for business. In order to reach their goal, they did it very slowly. As new features came out on new versions of their software, they started adding additional license requirements. It took them longer, but they got most of their customers converted to the new scheme all paying effectively more and their customer lost was negligible. The president of the company described the process to me as ‘Kaizen’ — obtain your goal in baby steps, otherwise you will not be successful.
A similar western analogy is that of a frog in water. It goes like this. If you put a frog in boiling water, it will immediately jump out. If you put the frog in room temperature water and slowly increase the temperature of the water to a boil, the frog not sensing a big difference will stay in the water and eventually die.
Kaizen is exactly what the governments do. To me this is the bigger picture of what some of Bill C-10 represents. Bill C-10 among other things, permits the government to decide if a particular film should get funding based on some unpublished ‘guidelines’. These ‘guidelines’, probably have a fair bit of subjectivity to them, can be changed at anytime and most likely can be interpreted in many different ways. The word guideline implies a suggestion of a path to take to come to a decision, which is different than a rule which implies you must take a specific path or a specific action.
On March 4th, The Current, a CBC Radio show, discussed Bill C-10. You can find the podcast here. Pierre Poilievre was interviewed about the bill. One of his first statements was that these ‘guidelines’ are not new and are already used for books and magazines. Bill C-10 permits these same ‘guidelines’ to be applied to film. If you listen to him, he implies that this is nothing new and there is nothing to worry about. These guidelines have obviously worked, we are just now going to apply them to film. Why all the fuss? No big deal … right? This to me is Kaizen or the frog analogy. If I want to change things and I execute the change in baby steps, people tend to not notice or not enough people notice, so the concern is not brought to the forefront for the general public to become aware. I had no idea till I heard this interview that this process was applied to books and magazines. Now that I know it actually bothers me and it doesn’t make me worry less. His implication that because I didn’t know about it, it obviously didn’t affect me tone is crap. Maybe the book and magazine people don’t care. Or maybe they did care, but for reasons of popularity they didn’t get enough press to make people aware of it at the time. Regardless, it is not a justification for applying these guidelines to film. Nor is it a justification to imply that people are overreacting and shouldn’t be concerned.
Sam Trosow said the government should publish these ‘guidelines’ and I completely agree with him. However, I would suggest they remain published on a government website and changes can not be applied to requests for funding unless the website is kept up-to-date. This should be a rule with penalties if it is broken. It should also include a history of all changes. What is to stop the government from changing these ‘guidelines’ in the future without any justification to the public? Since they are guidelines and not rules or law, changing them without notifying the public is probably permitted.
Kaizen when used by governments and business can be a bad thing. Expectation of privacy is just one of many examples. With the advances in technology and the cost of technology dropping, privacy is not the same as it was. It used to be that a employee could assume a general amount of geographical location privacy while not at work. My PDA that work provides me with has a GPS. The PDA is constantly connected servers at my place of employment. Technically, they can know and track my whereabouts anytime they want. They don’t do this of course (I do know that) they are not that type of company, but at any point in time they could. After all the PDA is owned by the company. It is technically their property so they have a right to track it … right?
As a fictional example, lets say this company is a office and they started questioning why their employees were at certain places during their off hours. This would probably not be acceptable today. Now, take the same scenario and lets pretend it is a PDA that belongs to a paramedic. The paramedic is off duty till 6:00 in the morning, but someone notices that their PDA was at a bar till 3:00 in the morning. Does the employer have a right to question the paramedic? People might say ‘yes’ they do because unlike the office scenario, the responsibilities entrusted to a paramedic by the public should allow them to be questioned and it is the responsibility of the organization to do so. Most people would naturally agree, and it becomes acceptable and maybe the company even requires them to now sign a contract giving permission for the company to track their whereabouts 24 hours a day, 7 days a week. After all, this is now perfectly normal and generally people feel this is acceptable. A year later, I could impose a similar policy on the police department. It’s in the publics best interest right? And really it’s not a new policy. The policy is in place for paramedics, we are just applying the same policy to the police force. What would be next? Fire fighters, construction workers, security guards …. I don’t know about you, but I see a pattern. At what point will the public start to speak up? Probably when it is too late.
Check this out: Now when you go on a flight the TSA can see a detailed image of you as if you had no clothes!
The best part is the fact that it takes a “detailed” digital image of your body, but shows an “obscured” version for the TSA screener. No worries, they always delete the original digital image so it MUST be a good thing 
