In honor of Data Privacy Day, a few items.
You may have heard that we had a guest speaker, Sol Bermann, Chief Privacy Officer at U of M on Tuesday. He is happy to share the slides he presented on Privacy and Big Data, so here they are:
Also, my blog from last week was picked up nationally by Educause, the national educational computing organization, and it can be seen here.
As I have mentioned here, I am now the university’s Information Privacy Officer. As part of educating the campus on the increasing importance of privacy, especially as it relates to the electronic data about each of us sprinkled around the world, I’ve invited the University of Michigan’s Chief Privacy Officer, Sol Bermann, to give a talk on why privacy is something we all need to worry about. The talk will be Tuesday January 26 at 2 PM in Bernath Auditorium, UGL.
Hope to see you there.
Yesterday I needed to find a price for a box of inkjet printer cartridges I have but no longer need (the printer broke and I bought a new one that uses different cartridges). I was trying to sell them.
This morning I visited my favorite political blog site, Reason Magazine’s Hit and Run and guess what showed up on the right hand side of the page–ads for Canon printers and HP inkjet cartridges. How did Hit and Run know?
Of course, they didn’t. But Amazon and Best Buy purchase ad space on lots of web pages, and my IP address is stored in various cookies, so totally unrelated sites know who I am and their ads target me. And what’s worse, one of those searches was on my iPhone, but the ad showed up on my office desktop.
So remember–if you’re searching for something sensitive, use an anonymized browser page (on Firefox select ‘New Private Window’, ‘New incognito window’ in Chrome, or in Safari a ‘Private Window’–these choices are usually available under the File menu, or at the three horizontal lines icon at the top left). Otherwise you may find ads for pregnancy tests or online tests for symptoms of schizophrenia showing up in your USA Today.
Bruce Schneier, my favorite IT security and privacy guru has a great column about how our mobile devices are now talking to our laptops and desktops and vice versa–long but worth a read:
If this bothers you, or you are just interested in learning more about the relationship between privacy and Big Data, come hear Sol Bermann on January 26.
Here is Steven Pastis’ (Pearls Before Swine) commentary:
And a well-known comic strip artist has taken the iTunes End User License Agreement (EULA) and presented it as comic strip dialog in the style of a number of famous comic strip artists (including the authors of Garfield and Dilbert). There are numerous privacy-related issues that these ‘agreements’ raise.
My colleague Dan Solove has a column on how the Empire would have won, had they made proper use of big data techniques. Here is his opening paragraph:
If the Empire had used big data:
. . . the Empire would have won. A search of records would have revealed where Luke Skywalker was living on Tatooine. A more efficient collection and aggregation of Jawa records would have located the droids immediately. Simple data analysis would have revealed that Ben Kenobi was really Obi Wan Kenobi. A search of birth records would have revealed that Princess Leia was Luke’s sister. Had the Empire had anything like the NSA, it would have had all the data it needed, and it could have swept up the droids and everyone else, and that would have been that.
On January 26 the Chief Privacy Officer at U of M will be presenting a talk about the tension between privacy and the use of big data.
Bernath Auditorium at 1:30. All welcome.
In October the European Court of Justice handed down a ruling invalidating the EC’s Safe Harbor Decision, because some governments have access to electronic data that was supposed to be private. Although this seems both esoteric and remote, it will actually affect everyone on the internet.
In 1995 the European Union passed a law protecting data privacy for Europeans’ data. The principles enshrined in the law (the ‘Data Protection Directive’) include these:
- Notice – Individuals must be informed that their data is being collected and about how it will be used.
- Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
(For the rest of the items in the list go here).
In 2000 the European Commission (EC) announced that US companies that declared that they were following the above principles, and registering that declaration were permitted to receive European data covered by the law (the so-called ‘Safe Harbor scheme’).
In 2015 an Austrian citizen lodged a complaint against Facebook, based on the Snowden revelations that the US government was accessing data supposedly protected by the Safe Harbor scheme, in particular because the US Patriot Act forbid American firms from disclosing whether they had supplied data to US intelligence agencies.
In October the European Court of Justice ruled 1
in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities.
Needless to say, the US government was not pleased. The ultimate significance of this decision remains to be seen, but suffice it to say that it has sent a chill across the collective bodies of major American firms with significant presence in Europe, including Microsoft, Google, and Facebook. It does not actually make transferring data across the Atlantic illegal per se, but almost certainly will entail companies like the preceding posting a warning to their European users that data is no longer safe from snooping by the US Government, a warning that is likely to cast a pall on European operations of American companies. Stay tuned…
1Warning–this is the text of a full legal ruling, and is not for the faint of heart.
As perhaps my readers may have heard, I’m assuming a new role at Wayne State—Information Privacy Officer. If you’re an avid reader of my posts you will probably realized that privacy, particularly internet privacy, has been an interest of mine for several years. As privacy becomes an increasingly important concern around the world, universities are appointing a Chief Privacy Officer (CPO) whose ‘portfolio’ is ensuring that the personal data entrusted to the university is properly protected, and who is an evangelist for the importance of safeguarding our privacy not only at work but in our lives in general.
I will continue to write this blog, occasionally commenting on other, non-privacy-related topics. These will include C&IT initiatives that will impact your work at Wayne and ways in which the new electronic world have affected various aspects of scholarship (such as copyright and open source publishing). However, I will be increasingly focusing my interest on the problem of our identity data and the forces that threaten to steal it or profit from it without our consent.
So what are privacy issues? At a university it includes such simple issues as having controls in place covering which employees are able to view social security numbers (there is, just to set your mind at ease, a ‘mask’ in the relevant field in Banner for everyone other than those who actually need to see SSN’s in order to do their jobs), but also making sure that the websites that accept credit cards have the correct legally-required controls on what machines they run on and how they are connected to the bank (a set of rules known as PCI-DSS, in case you’re interested).
But it also includes ways of keeping us safe as individuals, such as giving guidance on privacy settings on Facebook and other social networking sites, as well as reminding folks not to tweet that they’re on a riverboat on the Zambezi, especially if there’s no one staying in their house.
And it also means keeping track of national privacy issues (such as whether our federal government is, or ought to be, vacuuming up all our phone call records, and what happens to EZ-Pass records) and even international ones, such as the fact that the European Court of Justice has told European countries they may not store European citizens’ data in American-owned websites because of the Snowden revelations. Here’s a recent story about how this has impacted Facebook.
I will be blogging about several of these issues over the coming months. In addition, look for a couple of campus-wide events highlighting some of these issues in the coming months. One, on protecting privacy while doing ‘big data’ research on student performance at universities is tentatively scheduled for January 26.
The national cybersecurity cooperative MS-ISAC has published a nice set of cautions for those of us who increasingly spend most of our money at websites rather than physical stores.
Here are their suggestions for shopping safely online:
Safe Online Holiday Shopping – Center for Internet Security
Monthly Security Tips Newsletter, Volume 10, Issue 11, November 2015
From the Desk of Thomas F. Duffy, Chair, MS-ISAC
It’s that time of year again – food, fun, parties, and lots of online shopping. Online shopping can be a savior, allowing you to find the perfect gift while saving time, but it can also end with identity theft, malware on your computer, and other cyber unpleasantness. Rather than letting it ruin your holiday season, you can take a few simple security precautions, and be careful where you shop, to help reduce the chances of you being a cyber victim.
When purchasing online this holiday season—and all year long—keep these tips in mind to help minimize your risk:
- Be cautious what devices you use to shop online. Mobile devices, such as smartphones and tablets, make shopping convenient at anytime and place, but they frequently lack the security precautions of a regular computer. If you use a mobile device to shop, make extra sure you are taking all the precautions listed below.
- Do not use public computers or public wireless for your online shopping. Public computers and wireless networks may contain malicious software that steals your information when you place your order, which can lead to identity theft.
- Secure your computer and mobile devices. Be sure to keep the operating system, software, and/or apps updated/patched on all of your computers and mobile devices. Use up-‐to-‐date antivirus protection and make sure it is receiving updates.
- Use strong passwords. The use of strong, unique passwords is one of the simplest and most important steps to take in securing your devices, computers, and online accounts. If you need to create an account with the merchant, be sure to use a strong, unique password. Always use more than ten characters, with numbers, special characters, and upper and lower case letters. Use a unique password for every unique site. The August Newsletter contains more information about the dangers of password reuse and is available at: http://msisac.cisecurity.org/newsletter/1.pdf.
- Know your online shopping merchants. Limit your online shopping to merchants you know and trust. If you have questions about a merchant, check with the Better Business Bureau or the Federal Trade Commission. Confirm the online seller’s physical address, where available, and phone number in case you have questions or problems. Do not create an online account with a merchant you don’t trust.
- Pay online with one credit card. A safer way to shop on the Internet is to pay with a credit card rather than debit card. Debit cards do not have the same consumer protections as credit cards. Credit cards are protected by the Fair Credit Billing Act and may limit your liability if your information was used improperly. By using one credit card, with a lower balance, for all your online shopping you also limit the potential for financial fraud to affect all of your accounts. Always check your statements regularly and carefully, though.
- Look for “https” when making an online purchase. The “s” in “https” stands for “secure” and indicates that communication with the webpage is encrypted. This helps to ensure your information is transmitted safely to the merchant and no one can spy on it.
- Do not respond to pop-‐ups. When a window pops up promising you cash or gift cards for answering a question or taking a survey, close it by pressing Control + F4 for Windows and Command + W for Macs.
- Be careful opening emails, attachments, and clicking on links. Be cautious about all emails you receive, even those purportedly from your favorite retailers. The emails could be spoofed and contain malware.
- Do not auto-‐save your personal information. When purchasing online, you may be given the option to save your personal information online for future use. Consider if the convenience is really worth the risk. The convenience of not having to reenter the information is insignificant compared to the significant amount of time you’ll spend trying to repair the loss of your stolen personal information.
- Use common sense to avoid scams. Don’t give out your personal or financial information via email or text. Information on many current scams can be found on the website of the Internet Crime Complaint Center: http://www.ic3.gov/default.aspx and the Federal Trade Commission: http://www.consumer.ftc.gov/scam-‐alerts.
What to do if you encounter problems with an online shopping site?
Contact the seller or the site operator directly to resolve any issues. You may also contact the following:
As many have found out, posting a video on YouTube can be perilous if it contains material that you do not own copyright to. Currently Google (Youtube’s owners) will remove videos if they receive what is known as a ‘takedown notice’ from the entity claiming to be the copyright owner. In a case I blogged about several years ago, a video that NASA uploaded was automatically taken down because a news website had pointed to it.
Now Google has decided to provide some defense for those who are engaging in ‘fair use’ of copyrighted material. Fair use permits material to be posted if it is parodied, transformed or used for educational purposes (the exact details are rather more complicated and can be found on a WSU library website).
Google has announced it will legally intervene on behalf of these users, keep the videos up online, and even cover the costs of defending against copyright claims. You can read the juicy (and somewhat political) details in this article.
It will be interesting to see whether Google takes any flak on this.
Last week I provided some tricks for searching through email messages in the new Wayne Connect Powered by Microsoft. Following a question by one of my colleagues, here are some additional keywords and other pieces of search syntax you might find useful.
You can use AND, OR, and NOT to join search terms. AND means that both items must be present, OR means, of course, either item. NOT excludes the term that follows. Note that these words must be in ALL CAPS. So all of these are legal searches:
elephant AND castle finds messages that contain both ‘elephant’ and ‘castle’.
Jones OR Smith finds any message that has either of those terms.
rutabagas NOT turnip finds all messages that have ‘rutabagas’, but do not also have ‘turnip’
It is possible to specify date ranges within searches. You use the operators :< to mean ‘before’, and :> to mean ‘after’. So to find messages between January 1 and March 1 you could write
received:> 1/1/2015 AND received :< 3/1/2015
You can also restrict your search to a particular mailbox by highlighting that mailbox after you search.
Using the minus sign
Finally, for at least some of the keywords, you can place a minus sign – immediately before it, and it will exclude whatever follows the minus. Thus
will find all messages from Jones that do not have an attachment
will find all messages from Jones that are not also to Smith.
More complex searching
My colleague also asked about selecting multiple hits in a search result. Unfortunately this is not quite so easy. Theoretically you can click, then shift-click at the end of a long list, but that seems not to work reliably. The only easy way to select a large number of email messages (in order to drag them to a different mailbox, for example) is not to use the web-based client, but instead to use the Outlook desktop app, which has a very powerful, and very quick search engine.