March 30, 2005
It's like insurance or data backups...
You don't think you need it - until you need it. Privacy Compliance. Often considered by many or most corporations as a major pain in the rear - until there is a major privacy or security issue to deal with. Security breaches. Stolen data. Corporate espionage. Class action law suits. There is a lot to be wary of.
I ran across this article at ComputerWorld in my IAPP Daily email alert - Regulations should be Impetus for Standardization - now, it is really more of an "infomercial" or advertisement written like a news story, but I think the lead in characterizes the problem space well:
Privacy and data security regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley (SOX) are viewed unfavorably by many who perceive them as inefficient business cost centers. But the various industries affected by these regulations should take the opportunity to standardize business practices around the regulations in order to create greater business efficiencies and enhance compliance.
Most industries have some US federal regulations or legislation that must be adhered to as a cost of doing business. Don't forget the numerous state level statues regulating privacy and security issues. If you are a global company, you are dealing with much stricter standards already - mostly in Europe. If you are a smaller corporation or company anywhere, even one not in a highly regulated industry - just having customer and employee data puts you at risk.
The bottom line - pay some attention, alot if you can. If you can't pay a lot, a little may not be enough - but is better than nothing.
If you can, elect a privacy officer. Make it someone's job to be the internal watchdog. Embrace this "cost center" and make it an efficient entity in your business.
If you can't hire someone explicity to cover privacy for your organization, at least designate some combined coverage for oversight at a minimum. A "privacy council" could work - a few representatives from key areas in your staff: legal, operations, IT, HR, and Sales.
Privacy touches all aspects of an organization - so make sure your owner and/or privacy team has access to those groups or reflects that diversity.
Privacy issues for businesses today are only going to become more prevalent. Technogical advancements at nearly alarming pace have ushered in an age where individuals are being serviced online or wirelessly in already ubiquitous manners. Email, IM, Blackberrys, Tivos, Cellphones, Treos, PalmPilots, Sidekicks. As Peter Hoskins recently reported:
• There are now over 500,000,000 Java enabled phones in the world
• The majority of the world will first experience the internet through their mobile phones
• There were a BILLION wireless devices sold last year, and around 100 million PC's
Just think of the service industries and businesses taking advantage o the market opportunities there. Then think of the hackers, phishers, and other bad actors also targeting their customers. Protecting those customers from harm must be actively managed in a measured fashion.
Oh, and don't forget traditional, offline business models and data storage. Just because you may not be an online business, doesn't mean you aren't a target.
The business world changes fast and it can be hard to keep up. This is especially true with protecting your customer data and assets - and the importance of privacy and security can be easily overlooked.
Don't get caught in a privacy mess, just because compliance is a pain, or an extra cost. The one time (or next time) you have an issue, being prepared could be the thing that saves your business. You only get one privacy mulligan in the court of public opinion (if you are lucky). Try not to need it.
Posted by gcrgcr at 8:55 PM | Comments (1)
January 28, 2005
Spam, Spim, Cram and Spit...
First there was Spam - ever pervading the lives of those who use email at any level.
Then, Spim was born - IM spam - which I've not really been affected by recently. In the old days when I used ICQ - an early internet chat platform - I used to get lots of unsolicited IM's - it was brutal, frequent, and annoying.
Bloggers have also found that their blog software has been targetted by spammers. Spammers misuse the "comment on this entry" feature to paste in spam messages. People tend to refer to this as "comment spam" - I'll call it "cram" for now. Cram has gotten bad enough that blog software companies have had to offer tips on how to reduce cram - as well as repair software flaws for vulnerabilities that allowed spammers to also email spam through the comment engine.
So not only am I an email user, an IM user, and a blogger - who is therefore dealing with Spam, Spim, and Cram every day, along comes Spit. Read Aunty Spam's account of Spit.
What is Spit? Simply put it is VOIP (Voice Over IP) Spam.
For broadband telephone service customers - of which I recently became one through Lingo - this is an exploit that occurs when you are speaking with someone.
The "Spitter" basically hacks into the call, in a way that the caller can't hear but the receiver can, and plays Audio spam to the person you called.
It may be the most annoying type of spam and I hope it does not become prolific. Services like Vonnage and Lingo should be doing all they can now to eliminate or mitigate this vulnerability.
As of yet, I haven't been "Spit" on - and I hope it doesn't happen. This will be an interesting one to keep an eye on.
More on Spit via Google if you are interested.
Posted by gcrgcr at 9:57 AM | Comments (0) | TrackBack
July 26, 2004
Big Brother
My friend Andrew Currie dropped by the other day - he noticed a book at my desk-side shelf, Web Security, Privacy, and Commerce - by Simson Garfinkel. First, let me say that I like Simson alot - I've read this book as well as his monthly column in MIT's Technology Review. Additionally, you have to like a guy who's name is 1 degree from Art Garfunkel - Simson actually looks kinda like Art too! Seriously, check out Simson's blog if you are interested in technology and security.
I'm a privacy advocate, and it is a superbly comprehensive view of the existing landscape of privacy and security on the Internet. Looking at it now on Amazon, I'd say the second edition is out and I need to get it.
This book is a great read for fundamentals on biometrics, authorization, authentication, exploits in secured systems, applied technologies for security and privacy and more. As I find with many O'Reilly books, save for the programmatic reference books, reading the first chapter or two tends to provide an encompassing overview into a topic area.
Privacy and "Big Brother" has been on the mind lately - two things I've heard recently that can imaginatively be combined. First this quick hit from Frank Barnako's Internet Daily for Schwab on July 20th:
Internet addresses for all - The organization that oversees the allocation of Web site addresses says new technology has made it possible for every person, printer, computer and other Net-connected device to have its own Internet address. Vinton Cerf, at a meeting of the Internet Corp. for Assigned Names and Numbers, said, "This is a big, big step," Reuters reported. Before the development of the new technology, known as Internet Protocol V. 6, almost two-thirds of the available Internet addresses had been used. With IP Version 6, the available number is multiplied "25,000 trillion times," Cerf said.
25,000 trillion is a big number. It strikes me that more than every person on the planet having an IP available for their printer, computer, and IP connected devices - by today's standards - but that the future might hold that all a persons belongings become an IP connected device.
Consider the implementations of RFID technology. RFID, for those who don't know what it is or how fast it's coming to a shopping center near you:
Radio frequency identification, or RFID, is a generic term for technologies that use radio waves to automatically identify people or objects. There are several methods of identification, but the most common is to store a serial number that identifies a person or object, and perhaps other information, on a microchip that is attached to an antenna (the chip and the antenna together are called an RFID transponder or an RFID tag). The antenna enables the chip to transmit the identification information to a reader. The reader converts the radio waves reflected back from the RFID tag into digital information that can then be passed on to computers that can make use of it.
The above comes from the "RFID Journal" FAQ page. RFID is seen as "the next bar code" - a supply chain advancement for the new millennium, allowing retailers and others to track inventories with small radio frequency embedded labels. Wal-Mart has consistently been in the news regarding RFID for a few years, having delayed trials initially due to the privacy uproar that ensued following indications that they would be tested. Most people now get the fact that this is a useful technology for consumers as well as retailers. I guess if there are savings in supply chain management, Wal-Marts prices for one thing should come down further, right?
From the Spychips.com site:
A number for every item on the planet - RFID employs a numbering scheme called EPC (for "electronic product code") which can provide a unique ID for any physical object in the world. 6 The EPC is intended to replace the UPC bar code used on products today.
Unlike the bar code, however, the EPC goes beyond identifying product categories--it actually assigns a unique number to every single item that rolls off a manufacturing line. 8 For example, each pack of cigarettes, individual can of soda, light bulb or package of razor blades produced would be uniquely identifiable through its own EPC number.
Once assigned, this number is transmitted by a radio frequency ID tag (RFID) in or on the product. 10 These tiny tags, predicted by some to cost less than 1 cent each by 2004, 11 are "somewhere between the size of a grain of sand and a speck of dust." 12 They are to be built directly into food, clothes, drugs, or auto-parts during the manufacturing process.
Receiver or reader devices are used to pick up the signal transmitted by the RFID tag. Proponents envision a pervasive global network of millions of receivers along the entire supply chain -- in airports, seaports, highways, distribution centers, warehouses, retail stores, and in the home. 14 This would allow for seamless, continuous identification and tracking of physical items as they move from one place to another, 15 enabling companies to determine the whereabouts of all their products at all times.
The "Big Brother" concerns are when these types of technologies meet each other. IPv6 provides IP addresses for me and everything I own, even each piece of currency in my wallet. Now there is a minute chip that could be IP enabled in every product I own. If I live in Portugal, the government is already RFIDing my dog.
So, does it mean that the government will monitor every action of every person, or use such knowledge as leverage to control its people? I dunno - not likely, but once someone has any kind of power, it can be used any way they like - regardless of the intent.
And, the masses themselves have their own police power via technology over the government. E.g. these types of technologies, once common place can be used by the people themselves, possibly to monitor corporations or the government. George Orwell's 1984, which sadly I admit to having not read, at least since the 5th grade - so I'm putting it on my reading list - pushes forth the idea of government monitoring and control. A monitor in every citizens home, spewing control propaganda and monitoring what citizens do. This hasn't happened in 1984 or in 2004 - instead, technology has enabled citizens to poke government with technology.
Recently, the US military has been investigating dozens of allegations of prisoner abuse - Abu Ghraib prison in Iraq being one of the cases. This was not a case of the US coming clean with a Press Release on their own. This was a case of ubiquitous technology - digital cameras - being used by the soldiers accused of abuse themselves, enabling photos that were taken to be quickly distributed via the Internet to the world. Seriously, in all of 5 minutes, one solder/person could snap a picture, email it to a friend or news agency and bang - the US has a major issue on it's hands.
Food for thought.
Posted by gcrgcr at 8:51 AM | Comments (0) | TrackBack
