Do you think such a thing could be implemented without any public consultation or corporate media attention? It exists. About 6 months ago at an Ideas Victoria meeting, Kevin S McArthur brought up the fact Victoria Police were using cameras on some of their police cars, called Automatic Licence Plate Recognition, or ALPR. As Chris Parsons and myself were in attendance, no strangers to privacy issues in Canada, we immediately had a list of questions about such a system. Who was running it (later to find out the RCMP)? How wide spread was it? Where was the data sent and/or stored? Who had access to it? What type of information was stored? How was it claimed to be used, how could it be used?

Rob Wipond was also in attendance, one of Victoria’s last freelance journalists, and one of few I know who do investigative journalism… researching stories with more than a one day turn around for a quick hit. He was also very interested, and agreed to initiate the research by submitting some freedom of information (FOI) requests.

This story takes many bizarre twists and turns, including lies, misinformation and misunderstandings by everyone involved in this system. My thanks to the folks at FOCUS Online for supporting such research. This is the type of story that should be national, but none-the-less I’m proud a “little magazine from Victoria” can be responsible for disclosing such an important breach of our civil liberties.

You can read the entire article called Hidden Surveillance in the February 2012 issue of FOCUS, which is on newsstands now.

If the story interests you, Rob went a step further and published all of the documents he received from his FOI and Federal Access to Information requests!

Disclosure: I did not participate in most of the research, only in the initial planning stages, due to potential conflict of interest with my role on the Privacy and Access committee of the BC Civil Liberties Association and other committments.

On Vancouver Island, you might pick up the Times Colonist newspaper to see what’s happening. There are little to no privacy risks if you buy it from a stand. However on the internet, where the company has the opportunity to protect you even more than the physical space, they’ve decided to try a different angle… sharing your reading habits with other companies. If you use ghostery you can see that by viewing timescolonist.com, they are sharing your viewing habits on every page you visit to at least 10 different companies, with little to no disclosure on what those third parties do with your information.

If your local newspaper isn’t a concern, which it should be, what about your financial institution?

Why are these organizations providing your private news reading habits, and online financial transactions to 3rd party companies?  If you decided to ask them, perhaps also ask how much money are they making from providing your information?

How does your local news website score? What about your financial institution? Download ghostery and find out for yourself.

It should be noted that 10 trackers doesn’t necessarily mean worse than 1 tracker; if your personal information is provided to a tracker, you have no control of what happens to it when it gets there… they could sell it to 50 more companies.

If you find any other interesting results from ghostery, let us know on twitter and we might add it!

Over the week-end, the University of Victoria’s new administrative building was broken into. A payroll server with the personally identifiable information (PII) of over 11,000 people was on it, including social insurance numbers (SIN), as well as bank account information. I’ve been told there were no cameras or alarms in the area, and the information was not encrypted. If your organization handles personal information, let this be your final reminder to ensure that all personal information is encrypted both while in transit (transport layer) as well as on the computer (storage layer).

I was interviewed for over 30 minutes by CBC BC today, a few second made it onto the news. Check out this clip from the top of the 6pm news.

One of the tips I gave but didn’t make it in, is to annually request a copy of your credit report. This is free once a year to do if you send your request in writing, and is the best way to determine if you’re a victim of  identity fraud. When you do this, put it in your calendar as a reminder to make the request again in a year from now.

UPDATE: Jan 13, 2012:

Saanich news is reporting that UVic will pay for $1.7M worth of credit reporting monitoring as a result of this breach. So if you’re thinking your organization can’t afford an organization like PrivaSecTech to protect the personal information of your staff and clients, this is another example of how being proactive would have been less than 1% of the reactive cost. It costs you nothing more than an email or a phone call to see what we can do for your organization. We look forward to working with you to ensure this doesn’t happen to you.

If you’re a citizen of British Columbia and concerned about the government’s handling of your personal information, you probably want to read Bill-3 (full text of the proposed amendments) which has already passed second reading in the BC provincial legislature. These are proposed amendments to the Freedom of Information and and Protection of Privacy Act.

What they want to do is remove accountability for which Ministry is responsible for the data, instead, they’re hoping to build a monster database, which they call Integrated Case Management (ICM), and allow effectively anyone in government to read your personal information. As an investigator for breaches in British Columbia, it’s probably a good time to remind you that most breaches are not from hackers on the outside, but inside employees abusing the access they have. This puts your personally identifiable information at an exponentially greater risk. In fact, there would be nothing stopping them from also sharing this data with “partner” organizations, which include private companies, and/or foreign governments.

This is the most important bill this year in British Columbia regarding your personal information, be sure to share your concerns with your MLA!

EDIT: It’s a done deal, as of October 25, 2011, this bill passed third reading.  (watch the 3rd reading video, or read the transcript)

After writing an article yesterday on how LinkedIn opts your name and photo into social advertising by default, it was brought to my attention today that if you’ve had enough and want to close your account, that is only possible if you have less than 250 followers!

A few hours ago, snookca said on twitter, “Apparently, when you try closing your LinkedIn account, if you have more than 250 connections, a representative has to contact you.” 

He included a couple of screen captures that demonstrate his experience:

as well as:

Yesterday, Vanity Fair published an exclusive on operation Shady RAT (remote access tool), which was a high-level hacking campaign that lasted over 5 years, compromising over 70 name brand victims in over 13 countries. For the techies reading this, McAfee has published a 14-page report [pdf] on the hack. Canadian government agencies were targeted multiple times between 2009 and 2010, 4 in total, with the Canadian hosted World Anti-Doping agency having been compromised for 14 months. F-secure has published a few examples of what the targeted emails look like. Operation Shady RAT has been described as the “biggest transer of … intellectual property in history.”, one that could pose a serious economic threat on a global scale. It is suggested it was the work of one specific operation conducted by a single actor/group. “All the signs point to China,” says James A. Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, adding, “Who else spies on Taiwan?”. Alperovitch (McAfee) said he divides all Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.

This happening as British Columbia, and Canada, race to implement wireless smart meters, electronic health records, and electronic voting, each of which could be compromised by my small organization, should we be given the opportunity. Perhaps we should wait until the security tools are in place that I can’t suggest they could be compromised so easily.

An article came out today on canada.com.details how some good precedence for freedom of speech and anonymity online was just made in Ontario:

“The public interest favouring disclosure [of the bloggers' names] clearly does not outweigh the legitimate interests in freedom of expression and the right to privacy of the persons sought to be identified,” Judge Brown wrote, noting the three anonymous defendants, who chose to make comments on the site using pseudonyms, had “a reasonable expectation of anonymity.”  - Judge Carol Brown, Ontario superior court

Former Aurora mayor Phyllis Morris will appear her $6M defamation action suit. The appeal is sure to set some precedence in Canada, so that is one we’ll pay attention to!

I just read a tweet from Meredith L Patterson stating that Len Sassaman has committed suicide. I don’t know why, but at first I thought it only a silly internet joke, as he was a happy kinda guy, at least public facing. Unfortunately, a punch line didn’t come and reading more of her stream made me realize it is serious. Len was a pioneer in information security, privacy and anonymity, I know because I was fortunate enough to be there and work with him on a few projects. Mind you, I was only using pseudonyms only at the time, and I’m comfortable with that. Also, I was not near the technical calibre he was, I looked up to him. I remember one phone call we had when he got a job working for NAI, the company that had acquired PGP, the first military grade encryption that was open source and free to the world, so we might all protect ourselves from hostile regimes. He was stuck in traffic in his (convertible?) porsche in traffic. To me, he was an example of the good guys winning, you can do what is right for all of us, and be successful. Geeks have a chance, I thought.

We’d lost touch over the last decade, and only had brief contact recently over twitter and IRC; mind you I often use my real name now, so context was lost and I’d have to go through the trust gaining process once again. His impact on information security is unforgettable, John Perry Barlow (EFF and Grateful dead fame) has already commented on it.

UPDATE: I decided to sleep on this before posting, as it doesn’t really do anything but allow me to verbalise my feeling of loss, but I’ve decided I’m OK with that. If you want to do something in his memory, learn to use open source encryption (TrueCrypt, tor and GnuPG for example); a goal he and I have always shared is encrypting all traffic on the internet, so it’s not easily sniffed/read/stolen (most internet traffic is). You will be missed Len, you’re a reminder that we’re all just packets on the internet of life.

News broke yesterday that iPhones have been keeping user’s travel patterns in both the iPhone, as well as the computer it is being backed up to. Thanks to Alasdair Allan (alasdair@babilim.co.uk @aallan) and Pete Warden (pete@petewarden.com @petewarden) for releasing this finding, they even released an open source app that can demonstrate these maps called the iPhone Tracker.

Last night at Ideas – Victoria, my good friend Kevin McArthur (@kevinsmcarthur) started looking at the files that the iPhone left. We quickly realized that not only was his travel logged and can be mapped, we started seeing some other interesting tables. After a little more digging, we realized that his iPhone was also logging MAC addresses with latitude and longitude! This is what Google Streetview took all of the heat for in regards to privacy in many countries around the world.

To put this in perspective, every single iPhone or iPad with cellular plan has been doing this since iOS4 was installed on said device! The amount of data that apple users collectively has is unprecedented. It is being stored unencrypted on these devices.
In Kevin’s case, in about 6 months this equated to approximately 60,000 MAC addresses in Victoria, BC, that he had no idea he was logging.

A few questions to ask:

• Why is Apple logging all of this information?
• What it is intended to be used for?
• Under what conditions is a MAC address considered personally identifiable information? When included with complete geo-referencing? IP address?
• Is there a difference between people and corporations recording or logging MAC address information? Does it matter if there is consent (consent both from the collector and the collected) or not?
• Is there a difference between having this information personally and it being published?

Technical details

Do you want to know what MAC addresses your iPhone or iPad has logged?
Requirements: You will need to have to have Xcode to complete the following.

If you take the source code tarball, open it, you’ll want to modify the following two lines of iPhone TrackingAppDelegate.m:

 const float precision = 100;

to

 const float precision = 3000;

* Warning, this will significantly slow down the loading of the map, as you will have a lot more reference points visible

now change:

 NSString* queries[] = {@"SELECT * FROM CellLocation;", @"SELECT * FROM WifiLocation;"};

to

 NSString* queries[] = {@"SELECT * FROM WifiLocation;"};

That will remove the griding, and include wifi MAC address location instead of cell tower locations. The next steps will allow you to reduce the granularity from 7 days to one:

 const float weekInSeconds = (7*24*60*60);

to

 const float weekInSeconds = (1*24*60*60);

Load in in Xcode, recompile and run!

This image is getting a lot of attention. Today Michael Geist has released an article on Unpacking The Policy Issues Behind Bandwidth Caps & Usage Based Billing.

My MP has told me she opposes gouging consumers through usage-based billing. The liberal party is against UBB. Tony Clement, the industry minister has stated he is also reviewing the decision. The prime minister’s office has just said they’ve requested a review of the CRTC’s decision. With 250,000 Canadians having signed the sign the meter campaign, it looks likely the CRTC decision will be overturned.

The big question now is strategy; I hope my friends Steve Anderson and Rocky from Teksavvy have a next steps strategy that such a powerful momentum can put us into an internet landscape that has the world’s respect, as right now we’re a laughing stock.