Skip to content

Can cloud computing supplier really guarantee data security?

Cloud computing has become one of the hottest topic in current IT world. It has lots of advantages, saving resource, saving cost, high performance, etc. However, many legal issues follow it too, such as privacy, security, uptime, storage, transportation, and so on.
As clients, what they care about mostly maybe the security of their data. Where to store it? How to physically get back data at the end of the contract or when the cloud computing platform bankrupt? What measures can be take when transfer data between two suppliers? Even if the contract wrote very clearly about the obligation of the cloud computing supplier, it is possible for them to avoid their liability. We cannot know whether some data left in their servers. Or they shielded the accident happened. Here is a sample of a contract:
• Customer unable to decrease the number of users during a subscription term; remedies for breach of a limited warranty for the services to comply materially with a user guide restricted to termination and refund of pre-paid unused fees;
• Supplier to delete all customer data after 30 days after termination, unless a request for such data is made within such time period by the customer; and
• Provision of minimal obligations around security of a customer’s data. (e.g. supplier will maintain appropriate… safeguards for protection… of customer’s data).
Such kind of items may be difficult for some clients to accept.
The problem is if the security of data could not be totally guaranteed, there is no need to talk about privacy, not mention client confidential. We have to admit, cloud computing is an inevitable trend, even though so many legal issues. So to develop perfect contracts is what we should mostly do.

http://information-security-resources.com/2009/06/17/legal-issues-are-hazy-for-cloud-computing/

http://www.itp.net/573704-uncovering-the-legal-issues-behind-cloud-computing

http://www.llrx.com/features/cloudcomputing.htm

2010 03 17 HWei Uncategorized Comments Off Permalink

What does Google bomb mean to persons

It is obvious that Google has become a default choice for most searches internationally. Lots of people use Google search engine to get all kinds of information in each second throughout the world. Almost every website would like its webpage to be accessed by the most people, which make its webpage popular. Google search is one of the best ways to popularize it. So the rank of webpage in returned search results is very important. The higher rank the webpage got, the earlier the webpage is shown, and the more chance for people to click its webpage link in Google search results.
Google ranking algorithm ranks the webpage according to how many other pages cite this webpage. Some websites take use of the logic of Google ranking algorithm to increase some webpage rank, which we called Google Bomb. No matter through good citation or bad link, the only way is to increase the links to given webpage to get higher rank. Then the interesting problem is if the rank can be easily manipulated, what does this mean to end users or governments?
This means, both end users and government find an easy way to mislead readers. The official biography webpage of President George W. Bush had been the No.1 rank of Google search in 2006 of the search for phase “miserable failure” or “failure”. The same thing happened to Michael Moore and former US president Jimmy Carter. This Google bomb brought bad reputation to Bush, Michael and Jimmy. The purpose was obvious. I do not know whether this could be regarded as defamation. But I do believe it was exact defamation in another case, Santorum. In this case, one of columnist Dan Savage built a website “santorum.com”, in which, Savage used lots of dirty words to define “Santorum”. While “Santorum” refers to former United States Senator Rick Santorum. Many many people click these links through Google search for the phase “Santorum” every day, because it stands the first position of search result.
Besides what were mentioned above, Google bomb were also used in competition. In Sep 2004, a challenge to search engine optimization was started. It aimed to get the top position of search result for the phase “seraphim proudleduck”. A large amount of money was afforded to the winner. It finally turned out to be a hoax. In Mar 2005, the magazine .Net organized a contest in 5 professional website developers to win the top position of their websites for the search of the phase “crystalline incandescence”. All these contests were the deliberated actions to manipulate Google search results. And the purpose is only one. That is the interfering to the Google search results so that more people will access the specific websites. Of course, we cannot say it is illegal, but at least it is a kind of dishonest activities. More people click a webpage does mean it is popular; in contrast this may be for other reasons. It seems to tell us Google ranking means nothing. Because of Google bomb, we cannot make a judgment that the webpage with higher rank is more popular than other webpage.
As more and more Google bomb happened, the situation is getting worse and worse. In 2006, the most famous lawsuit related Google bomb was published. Sue Scheff won the lawsuit against a woman, who posted hundreds of defamatory comments about Sue and her company. She finally got $11.3 million. What she suffered to her reputation and her business was made up. However, she realized that, to defuse Google bomb, she has to protect herself. To keep her profile, she hired “an attorney as well as an Internet monitoring company, Reputation Defender who manages her online persona”. She said “if you don’t own your own name, someone else will.” Google bomb is not only used to hurt others reputation. It seems to increase good reputation, it also works. Both are unfair to common readers.
As the wide spread of Google search, such influence is unexpected. So many common readers do not know the truth. They just click the webpage link and go through the content of the website, without any idea that it is true or not. The misleading may result in good or bad. Whatever, it brings unfair to the victims through Google search.

2010 03 16 HWei Uncategorized Comments Off Permalink

Smart grids against privacy?

What are Smart grids? A smart grid is an energy saving concept of delivering electricity to consumers by utilizing two-way digital technology to control consumers’ appliances to reduce cost, save energy and increase transparency. This modernized electricity network utilizes an intelligent monitoring system to track all electricity flowing, integrates alternative sources of electricity (such as wind and solar power.) for energy utilization and  incorporates superconductive transmission lines to reduce power loss.  Smart meters are part of the smart grids to identify consumption in detail and communicate the information via some network  for monitoring and billing purposes. Now many governments start to promote smart grid to address global warming and energy independence issues.

Smart grids seem a great solution for helping users to save money and energy. However, some experts are beginning to ponder the questions how much smart grids undermine users’ privacy and how anonymous and safe this data being delivered via smart grids. In General, what users do in their own homes is basically their own business, and not the business of anyone else. But, smart grids tech which uses digital means to control appliances at users’ homes, may leak a lot of personal information of users and their living habits of every day by collecting granular data about users’ daily consumption of power. For example, “the energy fluctuations of home appliances are so unique that a smart grid can tell the make and model of a user’s refrigerator.” Maybe it seems not a big deal for some users, but it’s easy to extrapolate from there to more “Orwellian possibilities”. Smart grids are becoming the new battlefield of privacy issue.

A recently released report from the Future of Privacy Foundation states that “The modernization of the grid will increase the level of personal information detail available as well as the instances of collection, use and disclosure of personal information”. This report points out although modernized approaches are important and necessary to save energy consumption; smart grid technology may cause the data breaches of users’ personal information. And this report also asserts the following points:

“The infrastructure that will support the future Smart Grid will be capable of informing consumers of their day-to-day energy use, even at the appliance level. While this is beneficial and supports valuable efforts to curb greenhouse gas emissions and reduce consumers’ energy bills, it introduces the possibility of collecting detailed information on individual energy consumption use and patterns within the most private of places – our homes.”

“We must take great care not to sacrifice consumer privacy amidst an atmosphere of unbridled enthusiasm for electricity reform. Information proliferation, lax controls and insufficient oversight of this information could lead to unprecedented invasions of consumer privacy.”

Another report from the National Institute of Standards and Technology states similar points:

“Distributed energy resources and smart meters will reveal information about residential consumers and activities within the house.”

This report by NIST also addressed the cyber security aspects of the smart grid:

“A lack of formal privacy policies, standards or procedures about information gathered and collected by entities involved in the smart grid.”

Theses report point out “Smart Grid Raises Security Concerns” and “Smart Grid could Undermine User Privacy” And researches also worried about smart grids and their communications networks are vulnerable to a variety of attacks.  The below are the example about the personal information which utilities and partner companies could get from more granular power consumption.

  1. Law enforcement officials might use this information to against users or monitor what uses do.
  2. Landlords might be interested in what’s going on in their properties.
  3. Criminals and Hackers might try to fake the power usage, pass the charges to others or install a virus to shut down the smart grid systems.
  4. Insurance companies want to get the connection between unhealthy tendencies and the patterns of energy use to raise premiums or to deny coverage.
  5. Travel agencies would send you brochures when your family vacations come near.

Now there are two important issues related to smart grid:

1.The privacy issue:

How to prevent the data leak of user privacy from using smart grids?

2.   The insecurity of the smart grid systems:

How to prevent hackers or other unauthorized parties from getting personal information smart via smart grid systems?

Policy Challenges and Solutions

1.Who has access to your data?

2. How is your data managed? ” The European Union’s Data Directive has been cited as a good model and consists of the following core principles: [1] data processed fairly and lawfully, [2] sought or collected for specified purposes, and analyzed only for those purposes, [3] merely adequate and not excessive for the purposes motivating its collection, [4] kept accurate, and [5] kept in a form allowing for identification for no longer than necessary.”

3. How is your data protected?

4. What happens if your data is breached:

In my opinion, government should put more effort on smart grids and make laws to regulate the information from smart grids.

Image Sources:

http://ge.ecomagination.com/smartgrid/#/landing_page

2010 03 16 Henry Uncategorized Comments Off Permalink

Airlines Gripe About Using Skype In Flight

Recently a United Airlines flight attendant notified a passenger that he must abandon a video-messaging session with his family during a flight.  However, little did the flight attendant know the person they prohibited from using iChat was John Battelle, the founder of Wired, a popular tech magazine.

Shortly after being told to shut down he blogged about his experience during the flight.  In his rant, he described having a conversation with the flight attendant about United Airlines’ reasoning behind the request.  The flight attendant only offered Mr. Ballelle an explanation about United’s policies which stated “two-way communication” to the ground was not allowed during flight. Apparently, United was unaware that they even offered Wi-Fi.

Battelle isn’t the only one experiencing trouble using two-communication on public transportation.  In June of 2006, the American Civil Liberties Union (ACLU) of Massachusetts threatened to sue the Massachusetts Bay Transportation Authority (MBTA) over unwritten policies prohibiting the use of digital photography (Cell phones, DSLRs, etc.) of or on transportation vehicles.  The ACLU of Massachusetts stated, “We respectfully submit, however, that prohibiting photographs of or on transportation vehicles in full view of the public is neither reasonable nor necessary.”  MBTA responded with calling the ACLU’s written statement “insulting and naive,” using public transport bombings in London and Madrid as a Post Hoc argument.  The MBTA also claims power of discretion in which photographs will be allowed and which ones are prohibited.  Traditionally, photos of family members have been considered not a threat.  Great, now I can get a picture of grandma next to the train – but not of someone that could be labeled suspicious.

Both the ACLU and Mr. Battelle have the First Amendment on their side; video chatting with family members and taking photos on public transportation is still technically legal.  While no one to date has been charged criminally for taking photos in Massachusetts, video chat is clearly an issue with the airlines.  Since neither practice is against the law, why would it be an issue?  MBTA says because of terrorism and United says the same thing, except just a little different.  United ultimately said – in a roundabout way – using video chat programs like Skype could potentially annoy your single-serving friend next to you.  So while the Constitution of the United States says it’s okay to use cameras in public places, United Airlines and the MBTA says nay–in a Martin-Luther-separation-of-Christianity-kind-of way.

United Airline’s argument was using Skype mid-flight would disturb others.  As if the 250 pound woman with elbow-cleavage who needs two seats isn’t that much of an inconvenience.  MBTA General Manager Daniel A. Grabauskas says, “We need to consider ourselves as prime targets for terrorism.” As if everyone and anything else isn’t?  If two-way communication is genuinely a safety threat, then the airlines should be describing the nature of the threat rather than simply saying it’s matter of etiquette mid-flight; and if cameras on public transportation is breaching security then they need to admit reluctance, accept technology, and treat it as a service and not a threat.

2010 03 16 Saul2 Uncategorized Comments Off Permalink

“Privacy is a transaction cost”

One day in class, our instructor Brian mentioned a professor of his who claimed that “privacy is a transaction cost.” In other words, the only reason privacy exists in the first place is because it was too much trouble for anyone to bother monitoring everything they would otherwise want to. There’s no innate right to privacy, it’s just that no one could be arsed to deprive you of it. Setting aside my understanding of economics, this was a relatively jarring perspective for me (I’m a lot more accustomed to hearing privacy described as a right) and it gave me pause for thought.

We like to know stuff (Privacy vs Knowledge)

From an individual perspective this idea seems to check out. Neighbors snoop on each other to the extent that it’s convenient and inconspicuous. Classmates and colleagues gossip and share tidbits that are as juicy as they are supposedly secret. Information is currency. Even more so for a business, where knowing one’s customers has always been key to good salesmanship.

In some ways nothing has changed. Historically our private lives were relatively safe because no one could be arsed to watch anyone all the time. It’s easy to hide when no one is going to bother seeking. Now the ease of gathering information has swung to the other extreme, and we have an overabundance of data that is cheap to accumulate and store, and the difficulty is determining what’s worth sifting through. Now individuals are hidden amidst the sea of noise.

In other ways we are much more exposed. While no one is likely to randomly find our info, or care if they happen across it, it is much easier for those with an interest in our personal information to get their hands on it. [Casual stalking] is trivial through Google or Facebook, and [for a pittance] you can obtain a frightening array of someone’s personal details. In this sense, privacy seems less like a right and more like an ongoing struggle. I cannot hide myself from the world, but it’s generally not worth the world’s trouble to snoop on everything about me.

I have a right to my identity…right? (Privacy vs Security)

Obscurity is a bad security policy. In the U.S., knowledge of our Social Security Number unlocks enough information about us to be legally impersonated. Our SSN is supposed to be secret, yet we must provide it to a great many people, where it sits in file cabinets and is easily discovered. The problem with taking solace in obscurity is that people can find you anyway, and then what? If only we had a personal ID number that didn’t allow anyone who knew it to impersonate us.

I’m not ashamed of my behavior (Privacy vs Secrecy)

Cory Doctorow makes the excellent point that privacy is about control, not secrecy. It’s not a secret that I am naked when I shower, but that doesn’t mean I’m happy for anyone to watch. We participate in many activities in our lives, the knowledge of which is public but the staring-through-the-window-at is not okay. Privacy is about my having control over who sees me naked.

But it’s so useful (Privacy vs Convenience)

Socially, at least, we have established boundaries about what information we should have control over and what is okay for others to butt in on. Yet online these boundaries are quite vague. Many people are surprised when their online activity is exposed, just as others warn that we should assume anything we put on the internet is public. Even offline, we give up information about our behavior in exchange for shopping discounts.

So why do we do it?  Well, it’s convenient. Giving Amazon our buying history lets us only fill out that tedious credit card information once, plus it gets us recommendations.  On Facebook it allows us to know more about and share more with our friends. And what does it matter if anyone’s watching?

Kids will be kids (Privacy vs Norms)

Perhaps we can make a child-school analogy to our individual-government questions. We all have memories of our behavior as kids which we shrink from. These are things that most of us are aware is normal and pretty unavoidable behavior for kids, while simultaneously it is behavior we would try to prevent if we saw it happening. Teenagers do all sorts of things that their parents either
(a) want to find out so they can do something about it,
(b) are vaguely aware it’s happening but don’t want to know about it, or
(c) know exactly what their kids are doing and are fine with it.

In a world where much teen activity has shifted online, the first category has resulted in a spate of schools disciplining students for things that didn’t take place at school. The second is the don’t-ask-don’t-tell policy of parenting. The “if you don’t ask I don’t have to say no” mentality, where once it’s public, authority figures are required to respond to it, but until then they’re content to tacitly allow it to continue. The third kind happens when kids trust their parents, and parents understand that kids will make their own mistakes and just want to be in the loop.

What is the solution here? For kids to get better at hiding their behavior again? Are we content to discourage trust between kids and their parents and teachers? We certainly seem content to distrust our employers and government.

Impasse (Privacy vs Practicality)

Like it or not, as our personal information becomes easier for companies to gather and more valuable to mine, and as long as it is more convenient for us to provide our information, maintaining our privacy does not look any easier. Will new regulations and market forces work to protent individual privacy rights? Who knows, maybe they will. My guess is that our conception of what is private and our norms of what is acceptable will shift to accomodate the growing reality of endlessly persistent and mineable personal data. Instead of embarrassment at pictures of college drinking, upcoming generations may express suspicion of a public official has no evidence of growing up like a normal person. Instead of disciplining children for being children online, perhaps schools will utilize such opportunities as teachable moments.

2010 03 16 E Bell Uncategorized Comments (1) Permalink

Term of Service? Or Abuse

 

Background

Nowadays, no one can go on line without clicking a bunch of “I Agree” buttons. What’s behind the 1-second clicking action is the so-called term of service (TOS), that you agree to give up lots of rights unconsciously. Not many people will have the patient to read the TOS, even though they want to, the TOS is not designed to be readable. Like it or not, the little “I Agree” button is binding the user with service provider with legal enforcement. “Given the emphasis placed on a user’s assent, courts favor finding a binding agreement where the user engages in affirmative conduct acknowledging the terms of a TOS. For instance, a genuine click wrap agreement, in which a service provider places a TOS just adjacent to or below a click-button (or check-box), has been held to be sufficient to indicate the user agreed to the listed terms.”(Bayley, 2009). Hence, some companies’ TOS gradually become term of abuse, which eats up users’ privacy, copyright and ownership. It’s important to let users be aware of the serious status. Then we can cross the finger to hope more decent companies survive in the on-line service industry.

How service providers abuse users?

Here is the first example: All Your Apps Are Belong to Apple. As much as we wish giant company like Apple would choose do no evil with its market power, the truth is that they hire more talent lawyers to erode user rights. Let’s look at some highlights from Lohmann’s article(Lohmann, 2010):

  • App Store Only: Section 7.2 makes it clear that any applications developed using Apple’s SDK may only be publicly distributed through the App Store, and that Apple can reject an app for any reason, even if it meets all the formal requirements disclosed by Apple.
  • Kill Your App Any Time: Section 8 makes it clear that Apple can “revoke the digital certificate of any of Your Applications at any time.” Steve Jobs has confirmed that Apple can remotely disable apps, even after users have installed them. This contract provision would appear to allow that.

How ridiculous Apple’s TOS? Once the users upload the applications they write to Apple store, Apple becomes the king of your knowledge kingdom. Users are so humble in front of TOS. Similar to Apple’s TOS, Amazon had the same behavior: Amazon Erases Orwell Books From Kindle without users’ agreement.(Brad, 2009) Another classic example is Blizzard’s WOW case(Sherwin, Pearlman, & Mableson, 2008). I guess mot many users aware of “Blizzard owns the content you create in WOW.” So, users can’t sell the character they created, despite the time/money users spent.

How TOS affects your rights?

TOS not just specify how users can operate or use the service provided by companies like Apple, Facebook or Google. More importantly, it grants companies legal rights to deprive users of their elementary liberties. The first shaky right is privacy. On-line service providers collect your personal information for not just data mining the market strategy, but also make profit from selling your privacy to third parties. The second one will be copyright. For instance, Second Life allows users to buy and sell ‘content’ (i.e., Linden $), but holds the right to regulate this content if they choose. And Second Life is not alone. Blizzard or Facebook also claimed that they have what ever you create via their service site. User created content does not belong to user anymore. Under the limitation of TOS, users can’t even choose to cheat in the on-line game. Derived from the problem of copyright, TOS greatly changed the meaning of ownership. Let’s take a look at one section of Facebook TOS:

“You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.”(Walters, 2009)

Hence, even users kill the Facebook accounts, the right of the content is still controlled by Facebook not end users. The Apple TOS is worse than Facebook because they don’t even allow you to sell the application to other companies even though Apple refuses your application to be sold in Apple App store. Who owns the ownership of what users pay or what users create? The companies with lots of lawyers! They don’t need to buy ownership from end users; they just need to add another term in the TOS.

Problems of current TOS

TOS, acting as a contract, binds users with agreed terms legally. Unlike the normal contract, TOS is the contract that users either take it all or leave it.  Users never get a chance to negotiate their contents. TOS provisions are usually written by the service providers themselves without having conversations with users. It’s a one-side story. The supporters of TOS often said, “If you don’t like the TOS, you can jump to other service providers.” But, does users really have the freedom of choice? Not necessary. What if every service providers in X industry all decide to abuse the TOS, then the choice of switching service providers no longer exists. It is very possible that the followers of Facebook/Amazon/Apple all claim the user generated content belongs to service providers and they are legally to treat you privacy as nothing. The TOS abuse only hurts user rights not companies. This nature greatly increases company’s incentives to abuse the TOS. Even though users want to read TOS carefully before choosing one service, TOS is not designed to be human readable. Not every company will act like youtube to provide a readable “Community Guidelines”(Youtube, 2010) to help users understanding the TOS.  It’s easier to deceive users if TOS is confusing.

Solutions

What can we do to make TOS better? We’ve heard the phrase like “self-regulation.” For instance, in February 2009, FCC proposes the ”Self-Regulatory Principles for Online Behavioral Advertising.” (Federal Trade Commision, 2009) The Self-Regulatory Program consists of seven Principles such as data security, education, transparency and etc. FCC hopes these principles will help online advertisers to better protect consumers’ privacy while collecting information about their online activities. Does it really works? The opinion from Center for Democracy & Technology is not so optimistic as FCC is. “Although progress has been made in expanding self-regulatory efforts, self-regulation alone will continue to be insufficient to adequately protect consumers in regards to behavioral advertising. Not only do recently revised self-regulatory principles still fall short even as written, but also the online advertising industry has historically failed to fully implement its self-regulatory principles. ”(Center for Democracy & Technology, 2009)

So, if self-regulation does not work very well. Can we use “Standard form contract” to protect user rights in TOS? As the Wiki described “Standard form contract is a contract between two parties that does not allow for negotiation, i.e. take it or leave it. It is often a contract that is entered into between unequal bargaining partners.” (wikipedia, 2010) What if we have standard form contract to scope the minimum protection of user rights in TOS? Then, can we have the better privacy/copyright/ownership? The problem is that, the service discrepancy between different online content providers is huge. We may have standard form contract to regulate traveling or parking industry, but can we apply the same principle on Facebook, Blizzard, Amazon or Apple? It sounds difficult. But, doing something is better than doing nothing. Hope one day, TOS is not just one side story in favor of on line service providers.

Reference

Bayley, E. (2009, November). The Clicks That Bind: Ways Users “Agree” to Online Terms of Service. Retrieved from Electronic Frontier Foundation: http://www.eff.org/wp/clicks-bind-ways-users-agree-online-terms-service

Brad, S. (2009, July). Amazon Erases Orwell Books From Kindle. Retrieved from New York Times: http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html

Center for Democracy & Technology. (2009, December). Online Behavioral Advertising: Industry’s Current Self-Regulatory Framework Is Necessary, But Still Insufficient On Its Own To Protect Consumers. Retrieved March 2010, from Center for Democracy & Technology: http://www.cdt.org/policy/online-behavioral-advertising-industry’s-current-self-regulatory-framework-necessary-still-in

Federal Trade Commision. (2009, February). FTC Staff Revises Online Behavioral Advertising Principles. Retrieved March 2010, from Federal Trade Commision: http://www.ftc.gov/opa/2009/02/behavad.shtm

Lohmann, F. v. (2010, March). UPDATED: All Your Apps Are Belong to Apple: The iPhone Developer Program License Agreement. Retrieved from http://www.eff.org/deeplinks/2010/03/iphone-developer-program-license-agreement-all

Sherwin, S., Pearlman, J., & Mableson, C. J. (2008, May). MDY Cheating at WOW Bad or copyright infringement. Retrieved from publicknowledge.org: http://www.publicknowledge.org/pdf/pk-amicus-20080502.pdf

Walters, C. (2009, February). Facebook’s New Terms Of Service: “We Can Do Anything We Want With Your Content. Forever.”. Retrieved from consumerist: http://consumerist.com/2009/02/facebooks-new-terms-of-service-we-can-do-anything-we-want-with-your-content-forever.html

wikipedia. (2010). standard form contract. Retrieved March 8, 2010, from wikipedia: http://en.wikipedia.org/wiki/Standard_form_contract

Youtube. (2010). Community Guidelines. Retrieved March 2010, from Youtube: http://www.youtube.com/t/community_guidelines

2010 03 16 CHuang Uncategorized Comments (2) Permalink

Battle against ACTA secrecy

Finally there is some hope of ending the secrecy around Anti Counterfeiting Trade Agreement (ACTA). Thanks to the European parliament which overwhelmingly passed a resolution calling for transparency on ACTA negotiation processes and public access to the negotiation texts. The resolution was approved on March 10, 2010 with 633 votes in favor, 13 against and 16 abstentions. “The resolution also states that it ‘stresses that, unless Parliament is immediately and fully informed at all stages of the negotiations, it reserves its right to take suitable action, including bringing a case before the Court of Justice in order to safeguard its prerogatives.’” European parliament is absolutely against the three strike rule and personal searches by the EU border authorities.

I think this is a right step in the right direction. Ever since the United States, EU, Canada, Japan and some other countries started ACTA negotiations in 2007, there is controversy over its secrecy. A group of countries got together in 2007 and started ACTA negotiations to develop an international framework for better enforcement of intellectual property rights. The purpose of ACTA is to establish international standards to combat counterfeiting and piracy. All the negotiation sessions are conducted in secrecy and the details are not revealed by any of the participating nations at all. Initially, public didn’t even know who the participating nations are exactly! I wonder why negotiations which involve intellectual property laws should be kept secret! Various politicians and NGO groups around the world have been asking for transparency of ACTA negotiations for the past two years. In November 2009, Senators Bernie Sanders and Sherrod Brown asked United States Trade Representative (USTR) to make ACTA negotiation texts public. The letter states: “ACTA involves dozens if not hundreds of substantive aspects of intellectual property law and its enforcement, including those that have nothing to do with counterfeiting. . . . There are concerns about the impact of ACTA on the privacy and civil rights of individuals, on the supply of products under the first sale doctrine, on the markets for legitimate generic medicines, and on consumers and innovation in general.” Similar requests were made by politicians of Canada, United Kingdom and many other nations. Though people around the world are expressing that the whole secrecy thing is crazy and terrifying, the ACTA negotiations are still not being made public. The reason given by United States government to defend ACTA secrecy is “National Security”. The reason stunned many people, but the USTR repeatedly insists that they need secrecy to negotiate the terms with flexibility.

In spite of all this secrecy, there have been many leaks of ACTA negotiation documents on internet over the past two years. In 2008, an ACTA document was leaked on Wikileaks which has revealed what ACTA dealings are actually about. It is all about corporate business interests of copyright industry. Businesses want border security to be ramped up to better monitor shipments of IPR infringing goods. They want governments to monitor copyright infringement activities, increase fines and share the burden of losses incurred by the industry due to copyright infringement. And finally provide completely identifiable information of the copyright infringers to the copyright holders! The purpose of the copyright law is to protect the interests of consumers, but according to ACTA leaks, regulations are being drafted to protect corporate interests at the expense of taxpayer money.

The most controversial of all leaks is the Internet provision leak in 2009.
As per the leaked document, the US delegation wants to include an internet provision which says that in order “to benefit from safe-harbours, ISPs need to put in place policies to deter unauthorised storage and transmission of IP infringing content”. It means that United States wants the entire world to implement 3 strikes law. The proposal of encouraging ISPs to gradually send threatening warnings to subscribers has been widely criticized by people in the participating nations since this would require changes in domestic laws in some nations as per the international treaty. The publicity for this leak was so wide that some of the participating nations now want to ease the secrecy around the negotiations. Swedish Justice Ministry official, Stefan Johansson said, “The Swedish government believes that we should release a consolidated text as soon as possible” Nations like Germany and Sweden ruled out the possibility of implementing three strikes law, while nations like Australia conveyed that they have no intention of changing domestic laws.

According to Canadian law professor, Michael Geist, there is a “significant disagreement over a range of issues” in the proposed treaty. US wants to implement DMCA rules and encourage ISPs to monitor copyright infringement but many other countries including the EU, Japan, and New Zealand do not want to implement them. The ACTA agreement is not about counterfeit goods anymore but more about US wanting other nations to implement three strikes and DMCA rules.

While some of the participants want to make the process transparent, United States is one of the few nations who still want secrecy. In response to the EU resolution passed on Wednesday, US President Obama reiterated his support to enact ACTA. USTR said that they do not oppose transparency, but they have to keep some details secret for flexibility in negotiations.

It is blatantly clearly that an effort is being made by US to protect the rights of copyright industry by sacrificing the rights of internet users. They want the entire world to change their IP laws so that their corporations can make money and control all their users. They want to make the whole change without letting the public know the details of the negotiation of an international treaty which affects millions of users across the world. In my opinion, such negotiations are completely unacceptable and they should allow access to texts for public scrutiny.

With the pressure for transparency increasing from politicians, lawmakers and people from many participating countries, texts have to be eventually made public, but if the reports of disagreement among participating nations are true, then I doubt if ACTA treaty will ever be finalized at all.

Image Sources:

http://ezee.se/articles-blog2/wp-content/uploads/2009/11/ACTA-RED.jpg

http://steynian.files.wordpress.com/2009/01/new-top-secret.jpg

Tagged , ,
2010 03 15 BKasturi Uncategorized Comments (3) Permalink

Outsourcing your personal information

With the advance of web and telecommunication technologies, outsourcing or offshoring IT and Information systems became a popular business practice. Companies that used to have their offices and partners only in a single country suddenly started having IT and trade partners thousands of miles away in a different continent. Cost saving and cheap manual labor were one of the prime motivation behind this trend of outsourcing becoming a common business practice. Destinations like India, China, Philippines and so on became popular as IT outsourcing hubs. While outsourcing IT did have its cost benefits for the companies, it also meant that the organizations would have to send all the customer data and company’s private information to those outsourcing destinations. The information shipped to the workers at these outsourcing vendors included things like sensitive medical information, bank account numbers, social security numbers, stock holdings, credit card numbers and so on. Consequently, it became essential for companies with an offshore outsourcing strategy to ensure that their overseas outsourcing partners are contractually tied to safeguarding data security.

Some of the interesting laws regulating outsourcing deals of business processes

Different nations have taken different approaches to data privacy. The European Union has laws that strictly limit the processing and transfer of all personal data. The USA has laws that limit a company’s ability to process data when that processing might create the possibility of harm to personal information. When data is transferred to another country for processing, such as to an outsourcing vendor, the company must consider how the laws (or lack of laws) in the other country may affect the processing and its rights with respect to the information.

C-level executives and privacy audits

To take care of privacy issues in outsourcing, many companies have started having a C-level executive (Chief Privacy Officer) for developing policies, educating staff and ensuring compliance with privacy laws in an outsourcing agreement. These CPOs are very highly paid by the corporations and they have a unique set of legal, marketing and IT skills. In addition to just hiring CPOs, organizations hire auditors to audit the privacy practices in the outsourcing contract as well as at the vendor side. Typically, a privacy audit involves an outside firm reviewing a company’s policies and procedures for handling sensitive data. Since a good amount of company data these days is stored electronically, the responsibility of enforcing the privacy audits falls onto the shoulders of a CIO. Auditors generally check how and where the data gets stored, how the data transfer takes place from the outsourcing vendor to the client and back, if the data is vulnerable to any leaks or thefts and if the practices of vendor employees in handling the data are according to the client company’s privacy policies or industry standards.

Generally Accepted Privacy Principles (GAPP)

Generally Accepted Privacy Principles (GAPP) provides criteria and related information for protecting the privacy of personal information. The GAPP can be used by CPAs in USA and chartered accountants in Canada, both in private and the industry practices. The GAPP is a way to guide and assist the organizations they serve in implementing privacy programs in business processes. GAPP has been developed from a more business perspective and takes into account some, but by no means all, significant local, national, and international privacy regulations. GAPP contains guidance that any organization can use to develop good third-party management policies and procedures.

Analysis of the Satyam Computer Services (SCS) fraud case

There have been many cases where the privacy of the data has been threatened by certain situation that arose at the outsourcing vendor side. One such recent example is that of Satyam Computer Services (SCS), one of the top IT outsourcing vendors in India. In early 2009, SCS crashed after the company’s chairman Raju resigned and committed a financial fraud of $1.5 billion. During its peak, SCS had over 650 global companies as its clients (185 of which were “Fortune 500” corporations) from variety of industries, such as automotive, banking and finance, insurance, healthcare, manufacturing and telecommunications. As soon as the fraud was declared, many US companies who were the clients of SCS started withdrawing their outsourcing contracts with Satyam due to the fear that Satyam would not continue serving its IT systems thus possessing a threat of loss of critical customer information as well as a complete cease of the company’s IT operations. Some of the major companies that decided to withdraw their contracts included Coca-Cola, State Farm Insurance, World Bank and so on.

The interesting aspect of the case of SCS was that SCS used to follow (or at least claimed to follow) all kinds of privacy auditing policies to ensure that even after being in India, they could show to their global customers that they are taking care of privacy issues. To make sure high standard of audits are followed, SCS had hired Price WaterHouse Coopers (PwC) as their auditor. However, it was later found during the investigation of the Satyam fraud, that the auditors of PwC were not only able to detect the flaws in the financial sheets of SCS but were also not following the US standard of auditing. The privacy audits conducted by PwC were based on the laws and regulations followed in India and not really the standards like say GAPP followed in USA. This posed as a serious threat to US and UK companies who had Satyam as their outsourcing vendor. Due to the fear that their critical customer and other information might be under threat, the US clients of Satyam decided to end their contracts with SCS immediately after they came to know about the fraud.

In my opinion, outsourcing deals and contracts need to be framed with utmost care by the companies. It is better if the client has its own auditing firm appointed instead of leaving the responsibility of audits to the vendor. The interesting thing in the Satyam fraud case is that even the auditing firm was in India. So, it might be that the auditors at that firm might not be aware of the GAPP that are followed in the USA or Canada. If the clients would have send their own auditors to conduct privacy audits at SCS, then they might have been more sure about the security of their data and may be the fraud would have been detected much earlier than it actually was.  Another important observation from the SCS fraud case is that when a client decides to abruptly end its deal with an outsourcing vendor, it not only incurs serious financial losses due to the sudden cease of the IT operations, but the client also has to deal with the cost of finding another vendor. If the client decides to adopt a non-outsourcing business model, then the client has to deal with the costs of building up its own IT infrastructure, the cost of bringing back all the critical data from the previous outsourcing vendor and also the cost of hiring new IT employees.

References:

Eisenhauer, M. (2005). Privacy and Security Law Issues in Off-Shore Outsourcing Transactions. Retrieved from: http://www.outsourcing.com/legal_corner/pdf/Outsourcing_Privacy.pdf.

Gilbert, F. (2008). Outsourcing: Privacy and Security Risks. Retrieved from: http://www.itlawgroup.com/Resources/Publications/OutsourcingPrivacySecurity.html.

Kinetz, E. (2009). Satyam clients find that breaking up is hard to do. 2009: iStock Analyst. Retrieved from: http://www.istockanalyst.com/article/viewnewspaged/articleid/3002095/pageid/1.

Prosch, M. (2006). Outsourcing and Privacy: 10 Critical Questions Top Management Should Ask. Retrieved from: http://infotech.aicpa.org/Resources/Privacy/Privacy+Outsourcing/Outsourcing+and+Privacy+10+Critical+Questions+Top+Management+Should+Ask.htm#applying.

The Times of India. (2009). Parekh, Karnik & Achutan join Satyam board. Retrieved from: http://timesofindia.indiatimes.com/Business/India_Business/Parekh_Karnik_join_Satyam_board/rssarticleshow/3963267.cms.

Vijayan, J. (2004). Offshore Outsourcing Poses Privacy Perils. Retrieved from: http://www.computerworld.com/s/article/90354/Offshore_Outsourcing_Poses_Privacy_Perils.

Zetter, K. (2004). Outsourcing: Danger to Privacy. Retrieved from: http://www.wired.com/techbiz/media/news/2004/02/62356.

Image Sources:

http://www.nicasiodesign.com/blog/wp-content/uploads/2008/12/outsourcing-it.gif

http://balasrini.files.wordpress.com/2009/01/satyam.jpg

http://www.qualityimprovementconsulting.com/files/3258201/uploaded/audit-Cartoon.jpg

2010 03 15 Akshay Bhagwatwar Uncategorized Comments (11) Permalink

Live Blog SXSW: Universities in the “Free” Era

Very strong 101 lecture on new models for universities.

Major problems with current universities:

  • Change happens 1 death at a time
  • TENURE is broken: 6 years = tenure and then there is little to no incentive to keep learning
  • imparting sacred knowledge
  • gate keepers

Old school professors:

  • lecture with notes
  • drinking from a fire hose
  • 1 to many

New professors:

  • experience designer: guiding the students through interactive systems
  • Project manager: set goals and timelines (Brian: teach them to be PM’s)
  • Curator: helping students build the skills to search through the mounds of info online
  • Resource Allocator: Direct students to others for more information
  • Life Coach: Activating the students to take ownership
  • Validate: act as an emissary to the community promoting student and helping students find their connections in the community
  • Learner: listens to and learn from students (Rowe’s addition)

Ideas to improve the system:

  • Encourage team teachers
  • De-privilege institutional knowledge
  • reward failure (trying and improving is more important then getting the right answer)
  • Get rid of departments (? i am not sure i am board with this one)
  • Teach students to ask and answer questions
  • Contribute to the open commons! (more important the publishing in closed journals)
  • Hire people who get these ideas

Here is the talks description:

MIT, Yale, Stanford, and others put lectures online. Chris Anderson argues all university lectures should be free. From Academic Earth to TED, it’s free. So what is the value-add of a university education? What models of higher education will survive? How will universities leverage the social web to reinvent themselves?

PRESENTERS

Glenn Platt
Peg Faimon
PS: Could have been more interactive… for a talk on issues with the top down system.
Minor Grammar edits 3-13
2010 03 13 Brian Rowe Uncategorized Comments Off Permalink

Web 2.0 Privacy

http://itstrategyblog.com/wp-content/uploads/2009/03/web-2-0-logos.gif

Web 2.0 is about connecting people and enhancing the power of working together. An ongoing explosion of new technology is powering increasingly complex social and business interactions as well as enabling an unprecedented level of unmediated information exchange and horizontal organization. This trend is likely to continue because individuals, businesses, and other organizations desire the simplicity, efficiency, and utility these technologies offer.

With Web 2.0 technologies, more people have more opportunities to post information about themselves and others online, often with scant regard for individual privacy. Shifting notions of “reasonable expectations of privacy” in the context of blogs, wikis, and online social networks create challenges for privacy regulation. Courts and commentators struggle with Web 2.0 privacy incursions without the benefit of a clear regulatory framework.

Responding to the rise in adoption of social networks, virtual worlds and other Web 2.0 technologies, IBM has launched a project to create tools to help people manage their privacy and identity on the Internet, taking a stab at what could become one of the most pressing issues in online collaboration and data sharing. The project, called “PrimeLife“, will involve 14 other partners. It will be funded with 10 million Euros from the European Union, and spearheaded by Big Blue’s Research Lab in Zurich.

It is known that the European Union (E.U.) has a more restrictive privacy protection than United States. Because of different culture and history background, United State and the E.U. have different attitude about the role of government regulation. In general, E.U. Member States have a much greater confidence in public institutions and dependence upon administrative law than does the United States.

While the European Union and the United States both claim to be committed to safeguarding personal privacy, there are fundamental differences between the two in terms of how to achieve this goal. The American approach to privacy protection is driven by business interests, as compared to the E.U.’s rights-based approach.

http://www.ocf.berkeley.edu/~rls/clickOnline.jpg

The growth of e-commerce requires consumer confidence, and privacy is a key requirement in building online consumer confidence. An increasing number of consumers are concerned with how their personal information is used in the online marketplace, and many consumers would rather forgo web-provided information and products than provide a website their personal information without knowing that site’s information practices. These findings suggest that effective and meaningful consumer privacy protections need to be implemented if the online marketplace is to grow significantly.

In the online marketplace, the amount of information social networks can broadcast, sometimes unknown to the user, can be astonishing. In Facebook’s Beacon controversy, some advertisers were able to track the purchases of Facebook users on their site. If, for instance, a man was buying his fiancee a wedding ring on one of the Beacon advertisers’ sites, the purchase might be broadcast to his bride-to-be’s newsfeed before he had a chance to pop the question, and this actually happened. Facebook later apologized for the service overstepping its users’ privacy and offered users an opt-out function on their profiles from such advertising methods, and months later took steps to allow people to control their privacy with greater specificity than before. But that’s just Facebook. The number of social networks and other Web-based communities to track is nearly impossible for a person to do on his own.

Google Buzz is another example of how vulnerable privacy is on today’s internet world. Google released its new social tool “Google buzz” not too long ago. What Google Buzz does is essentially mash up two similar but distinct services: Twitter and Facebook. Twitter is very open, anyone can follow or send messages to anyone else, but very limited in what people can find out about you. Facebook reveals our personal information more, but we also have much control over what strangers can see. If a stranger doesn’t have your permission, they can’t see much.

http://www.computerworld.com/common/images/site/news/2010/02/googlebuzztour/188912-google-buzz_slide1.jpg

When you first go into Google Buzz, it automatically sets you up with followers and people to follow. The problem is that the people you follow and the people that follow you are made public to anyone who looks at your profile. In other words, before you change any settings in Google Buzz, someone could go into your profile and see the people you email and chat with most. The fact is, the more you use Google, the more you put yourself at risk. It’s because every service you sign up for is built around your Gmail address. And since Google has effectively made that public via your Google Profile’s URL and Google Buzz, all that’s left is your password.

Studies in behavioral economics suggest that online information privacy is important to users and that users desire more control over access to their personal information and subsequent use of the information after it is obtained. If users are aware of their privacy concerns and deem privacy important, they are more likely to take steps to protect their own interests.

Indeed, privacy policies can be seen everywhere today, and they give the impression that websites safeguard personal information that they collect. When the policies are read, however, there is often very little privacy protection being promised. Policies might disclose how data is collected and how it will be transferred, sold, or traded, but often the message is that information will be collected in whatever way the website can obtain it, and the site reserves the right to share or sell it with impunity.

The “PrimeLife” project which IBM is working on aims to provide a solution for users to take controls of their personal data on the internet. It has a data manger providing users with an overview of which personal data he or she uses when, where, and how. It lets users define default privacy settings and preferences for all kinds of applications, and it prompts the user if applications request data for any other purposes but in the end.

We can’t be sure how many impacts this project will bring to the Internet world. After all, there are other variables here. Recently, Microsoft Bing has agreed only to hold user’s personal information for six months, while Google and Yahoo will continue to keep them much longer to “improve search quality.” Google stores cookies for a year and a half, far longer than they should need it for any purpose other than sending you the targeted ad.

We can’t control how Internet Company likes Google use our personal information, but at least we can bring awareness to users. By giving users the choices to control their own information, eventually users will know they have to right to request the protection of their own information, not just take whatever is given to them.

2010 03 12 YChen Uncategorized Comments (6) Permalink