Facebook’s latest privacy troubles

After years of controversy, Facebook may well end up in a Canadian Federal court this fall.

In August last year, Canada’s privacy watchdog, Jennifer Stoddart, announced that Facebook had agreed to improve its privacy protocols to be compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA).

But instead of working to address the concerns, last December Facebook implemented changes that effectively further reduced user privacy.  These changes effectively required users to manually modify settings to avoid friends, personal information and photos from being shared.  According to the Wikipedia entry Critcism of Facebook:

… a user whose “Family and Relationships” information was set to be viewable by “Friends Only” would default to being viewable by “Everyone” (publicly viewable). That is, information such as the gender of partner you are interested in, relationship status, and family relations became viewable to those even without a Facebook account.

Facebook clearly have decided that the increased revenue possible from sharing personal information is worth battling government privacy commissioners and lawyers.  And that’s fine — so long as our government continues to enforce our laws and bring violators to account, we can play that game too.

I’ve never had a Facebook account.  I can be patient.

But those that still trust Facebook with personal information — and haven’t bothered to examine the minutia of the site’s privacy settings — will continue to have their personal information shared with 400 million users and thousands of advertisers, data aggregators and, well, pretty much anyone else on the Internet.  At least until the wheels of justice grind to conclusion…

Mike

Cloud Computing: Schneier and Ranum weigh in

Unless you’ve been living in a cave over the past six months, you are probably aware that Cloud Computing is Next Big Thing.  Of course, it isn’t new or unique — it is a form of centralized computing and application delivery has existed since the first time-sharing systems emerged in the 60s.

But the big vendors need a story to push their products and services, and Cloud Computing is it for 2009. It isn’t suprising that the information security and privacy protection aspects of cloud computing are starting to get a lot of attention as well.

What are the risks? How secure is my data in the Cloud? What privacy protections can I rely on? Do you really trust your service provider?

Bruce Schneier and Marcus Ranum have a video from their Face-Off series that is well worth viewing for anyone looking to take advantage of Cloud Computing services.

I like Ranum’s emphasis on limited data access and lack of portability. Locking clients into a hosted application and database is going to be a problem when the client wants to use another provider. Just how do you move five years of email from Gmail to your own mail server? Can you quickly extract and replatform your critical sales data from Salesforce.com if Salesforce gets bought out by one of your competitors?

Mike

Identity Assurance — Trust Levels

3rd in a series [ <- previous ] [ <-- first ]

The second part of the Assurance Component of the Pan-Canadian Assurance Model to discuss are Transaction Trust Levels, or more simply, Trust Levels.

Trust Levels are defined in the pan-Canadian IdM&A Framework as ‘a pre-established statement of the level of certainty that is needed to access information or conduct a transaction.’  They are directly linked to the Security Classification of information.

Working from that classification, the framework establishes four trust levels:

0. No Trust — Anonymous Transaction.  Used with information that is unclassified (e.g. published information).

1. Low Trust — Routine Transaction.  Used for protection of systems containing basic information, i.e. information with a Security Classification of Low.

2. Medium Trust — Verified Transaction.  Used with systems that need to protect confidential data, such as some medical records, tax information, identity information, etc. 

3. High Trust — Corroborated Transaction.  The highest level of trust; required for protecting information classified as High (e.g. cabinet documents, criminal trial information, etc.)

It is important to note that the ‘transaction’ referred to in this discussion is the business transaction that will be supported by the IdM system.  For example, medium trust is needed by business transactions that need to be verified (due to the sensitivity of the information being protected). 

In Practice:

Trust Levels allow for a clear description of what we need to establish before we allow access to an application or information set.  On the surface, the Trust Levels differ little from the Security Classifications, but the exercise in assessing trust and assigning a Trust Level is important.  It forces the business to ask some key questions: How much do I need to do before allowing access to this information?  Have I classified the information correctly and is it reflected the Trust Level?

As can be seen from these questions, the word ‘trust’ forces the business to look at the Security Classifications in a somewhat different light.  That allows for better conversations around what the value of the information is and what an appropriate access solution might look like.

Next: Registration Process.