Limiting the cyber security risks of Internet of Thing devices has long been a plea by experts. But a new report says lawmakers, regulators and manufacturers need to pay equal attention to sealing off the privacy risks of sharing data through so-called smart devices.
“Rather than wait until privacy norms have already been eroded by the IoT, regulators and designers should work together now to build usable privacy into the products they create,” says the report. Such measures will be essential to ensuring that our society continues to uphold the value of privacy as a fundamental right.”
Policymakers should take steps to regulate the privacy effects of the IoT before mass sensor data collection becomes ubiquitous, rather than after, the authors say. Omnibus privacy legislation can help regulate how data is handled in the grey areas between sectors and contexts.
At the same time makers of IoT products and services should employ a variety of standard measures to provide greater user management and control, as well as more effective notification about how personal data is captured, stored, analyzed, and shared.
“The IoT has the potential to diminish the sanctity of spaces that have long been considered private, and could have a “chilling effect” as people grow aware of the risk of surveillance,” the report says. “Yet the same methods of privacy preservation that work in the online world are not always practical or appropriate for the personal types of data collection that the IoT enables.”
The report calls for an omnibus privacy bill, which a number of countries have including Canada. The U.S. is one that doesn’t have a national privacy law. The report applauds the European Union’s General Data Protection Regulation, which calls for the principles of privacy by design to be built into products and services that collect personal data. Canada’s private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA) doesn’t go that far.
The report argues that as “smart” becomes the new default setting for devices, consumers are losing the ability to monitor and control the data collected about them, and they often have little awareness of what is done with their data downstream. The risks of sharing data through smart devices are not always clear, particularly as companies combine data from different sources to infer an individual’s habits, movements, and even emotions.
That’s why the authors say that having “broad non-specialist” public conversations about the use, collection, and effects of IoT data is essential to help people understand the IoT and how it affects privacy expectations.
There are lots of predictions of how many connected devices are coming to the world as industrial machines add sensors, retailers and police add surveillance cameras with facial recognition, and people buy voice-controlled connected home speakers, Internet-connected TVs and smart door locks. Google’s parent Alphabet wants to wire a Toronto lakefront neighborhood.
“The introduction of such a broad and diverse sensor fabric into society has undoubted benefits, but it also introduces risks that must be explored and managed,” says the report.
“Retreating to one’s home, closing an office door, or hanging up a phone may have previously allowed a person to feel a measure of control over who might be listening or watching,” the report points out, “but the presence of network-connected devices in private spaces can remove this sense of control and privacy.”
It doesn’t help, the report adds, that several government regulating agencies may oversee an industry and may fight for control over privacy. or example,
Companies should follow the privacy by design principles and be transparent and forthcoming about their data collection policies, says the report, and not collect or use data in ways that violate people’s expectations. Companies should commit to protecting users’ privacy by only collecting data for which they
have specific uses, and by deleting the data when it is no longer needed. In addition, users should be given more power to update their privacy settings during the pre-collection or post-collection phases.
A more detailed version of the report, entitled Clearly Opaque: Privacy Risks of the Internet of Things, can be found at https://www.iotprivacyforum.org/clearlyopaque.
Companies should create a Code of Practice clarifying if and how they will oblige people who demand personal information online be taken down and their online privacy policies, says the federal privacy commissioner.
That recommendation was one of several made in a draft proposal on helping people protect their online reputation released this morning for public comment by Privacy Commissioner Daniel Therrien.
At a minimum, such a Code would respect and implement what the commission calls “no-go zones” (actions companies shouldn’t do) it has already suggested, the report says. It would also uphold the right for people to ask search engines to de-index or take-down articles about themselves individuals find offensive. “Ideally, such a Code would, over time, establish a reasonably consistent experience that would allow Canadians to understand the basis by which organizations are making decisions with respect to their de-indexing or takedowns requests.
De-indexing content does not remove it from the web, but only removes links to the source content from search results for searches on an individual’s name.
“Canadians need better tools to help them to protect their online reputation,” Therrien said in a statement on the release of the discussion paper.
“There is little more precious than our reputation. But protecting reputation is increasingly difficult in the digital age, where so much about us is systematically indexed, accessed and shared with just a few keystrokes. Online information about us can easily be distorted or taken out of context and it is often extremely difficult to remove.”
Therrien is not proposing the federal Personal Information Protection and Electronic Data Act (PIPED) include a so-called “right to be forgotten,” which is part of the European Union’s General Data Protection Regulation (GDPR) which comes into effect May 25. Instead he suggests that provisions in PIPEDA now can be interpreted to give people that power.
PIPEDA already says an individual shall be able to challenge the accuracy and completeness of his or her personal information and have it amended as appropriate. It also says when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, an organization shall amend the information as required. Depending on the nature of the information challenged, amendment involves the correction, deletion, or addition of information.
Canadians should also be permitted to easily delete information they’ve posted about themselves on a commercial forum. for instance, a social media site, says the draft suggestions. In cases where others have posted information about an individual, they have a right to challenge and seek an amendment to demonstrably illegal, inaccurate, incomplete and out of date information, the report says.
Search engines and websites have an obligation to assess requests from individuals for information to be de-indexed or taken down, adds the report. Most do through existing customer complaints channels. If a matter cannot be resolved, individuals have a right to complain to the Office of the Privacy Commissioner of Canada.
The report’s suggestions were criticized by Halifax privacy lawyer David Fraser. “I don’t think its a correct interpretation of the law, certainly not in light of the Charter (of Rights). I also think it’s bad public policy.”
If a news story isn’t accurate then the content provider and not a search engine should remove it, he argued, by persuading the site that information isn’t accurate. “Putting search engines into the position of having to also be the arbitrator of whether information on the Internet is fair is completely unreasonable and untenable.”
“I do a lot of work in the area of cyber-bullying on behalf of victims, so I’m not heartless on the topic” of online reputation. “But I also recognize we also have a Charter of Rights and Freedoms that guarantees we have a right to freedom of expression. It doesn’t guarantee the right to privacy, at least with respect to individuals and private sector entities.” Such a right wouldn’t withstand a Charter challenge, he believes.
The question is whether there is enough of a problem with online reputation that the law needs to intervene, he said, instead of the private sector creating mechanisms to do it in a fair and balanced way. Many of problems he’s seen aren’t ‘Bob on his Facebook page said something mean about me.’ but something written by a news media site. “And I cannot imagine in a million years that we can fashion a mechanism that would require the removal of content that is otherwise true or was accurate at the time” and still meet the Charter’s right to freedom of expression, he said.
Therrien also recommends Parliament study of this issue of online reputation and people’s rights to have online information about them de-indexed or removed in the context of balancing freedom of speech and right to privacy.
The report is also calling on Parliament to establish a stronger ability for youth to request and obtain the deletion of information they themselves have posted on social media, and in appropriate cases, information posted about them online by their parents or guardians when they reach the age of majority.
De-indexing has become a concern among people who, for example, were convicted of an offence years ago but are dismayed that when someone searches their name the first thing that pops up is a news report of the crime. The news story may rank high because of the way a search engine indexes a story. While not removing content from the internet “de-indexing can have an important impact on an individual’s reputation and right to privacy,” the report argues. But the report also argues that requests should be dealt with by search engines on a case-by-case basis: De-indexing may not be mandatory, it says. In some situations, other solutions (such as lowering the ranking of a result, or flagging it as inaccurate or incomplete) may also be appropriate.
It also argues a single inaccurate statement or the omission of a single fact, within an otherwise wholly accurate webpage, may not warrant de-indexing of the page – particularly where the inaccuracy or omission does not materially impact the interests of the individual.
The commission believes Canadian-based search engines (for example, “google.ca”) are covered by PIPEDA. The report acknowledges that de-indexing information here doesn’t mean it would apply to the “.com” version of a search engine, but PIPEDA can’t be applied outside this country.
“De-indexing is a means of providing an effective remedy to individuals for certain privacy harms, but it is not without challenges and is not a perfect remedy for all harms to online reputation,” says the report. “We have taken the position that PIPEDA requires organizations, including search engines, to assume accountability for their actions, and provide some challenge-type mechanism that individuals can resort to when challenging compliance with relevant principles.”
As for the right to have information removed from a Web site or made anonymous, the report argues principles in PIPEDA “imply that individuals should be provided the ability to remove information which they themselves have provided to an online forum that is involved in commercial activity,” for example, a social network or online forum. “For instance, individuals should be able to delete one or more social media posts without having to delete their entire account, and they should be able to do so independently, without having to make a request subject to the organization’s response,” says the draft report. Some sites already allow this.
If personal information about a person is provided by another PIPEDA doesn’t give the first person an unqualified right to have that information removed, the draft report argues. However, the law may allow information to be challenged for accuracy and appropriateness.
Comments on the report are due by April 19.
(NOTE: This story has been updated from the original to include comments from David Fraser)
Ann Cavoukian spent more than 15 years as Ontario’s Information and Privacy Commissioner between 1997 and 2014, but her new venture expands beyond provincial borders.
Cavoukian has created a new global council called Global Privacy and Security by Design to promote and advocate for research into the next level of privacy protections. The council’s board includes notable names such as Telus CEO Darren Entwistle, SecureKey CEO Greg Wolfond, and former US secretary of Homeland Security Michael Chertoff.
“Whenever there’s an increase in terrorist incidents – dating back to Charlie Hebdo, San Bernardino, Manchester, Vegas, Paris, the list goes on and on – the pendulum swings right to forgetting about privacy and focusing on public safety and security via any means possible and that’s what sparked this council,” Cavoukian tells IT World Canada. “Of course we need security, but not at the expense of privacy. You can have both; you must have both. Privacy forms the foundation of our freedom and liberty, we can’t give up on that.”
Raising awareness is the first step, but when it comes to practical action, Cavoukian thinks the best way to achieve this balance is to proactively embed privacy and security functionalities into the designs of developing technologies like artificial intelligence (AI) and machine learning. Thus, the council was created with an explicit goal of researching how exactly this can be done.
“I hear so many people tell me ‘Oh, we have to say goodbye to our privacy because technologies are expanding surveillance and data collection and there’s nothing we can do because it’s for our own safety’ and that’s so wrong. You can have both, and that’s why education is our first goal,” she explains. “But our second and equally important goal is working with the engineers, computer and data scientists, and innovators on how they can embed privacy into the design of the products or services they are creating. We need to tell them this is important from the get-go, not when they’ve already delivered the program and privacy becomes an afterthought.”
The former privacy commissioner, and now Distinguished Expert-in-Residence at Ryerson University, wants to go into postsecondary schools to work with students and professors as well as target executives within the corporate community to spread her message.
The council’s third goal is to collaborate with policy designers in both government and business in hopes of tearing down the traditional “silo” approach to developing privacy strategies.
“Companies and even the government need to get past the separation of departments. You’ve got to have cross pollination and people talking to each other about the deliverables that they want and the goals they want accomplished. If marketing or legal teams care about privacy but that priority doesn’t get to the programmers before they start their code, there needs to be less of a silo approach. It’s ambitious but we have no other choices,” Cavoukin stresses.
A fundraising gala was held for the international council on Jan. 25 in Toronto and it raised thousands of dollars from attendees that include Deloitte, Microsoft, and Google executives, proving that the message Cavoukian is spreading is resonating with a wide audience.
She points to Germany as a leader in the privacy and data protection space, saying that its emphasis on privacy is a model that should be emulated. She also commends the European Union’s new General Data Protection Regulation (GDPR), which comes into effect on May 25 and essentially strengthens the rights of individuals to control the use of their personal data, and believes similar action should be taken in North America. The GDPR includes both privacy by design and privacy by default, which requires that companies and governments restrict the use of the information they’re collecting from someone for the primary purpose intended for the data collection.
“This is such an amazing statute because for the first time ever, it includes privacy by design and privacy by default. You don’t give information to a company or government to do whatever they want with it, you give it for a particular purpose that is warranted. Under the GDPR, these organizations are not permitted to use it for any other purpose without coming to you obtain your positive consent,” she says. “That’s the opposite of what happens now. Unless an individual takes the time to scour the terms of service to understand what data is being used and opt out – which no one does – personal data is being collected and used for purposes beyond what you gave explicit permission for.”
Canada’s data privacy regulation governing the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA) has been in effect since 2000, and Cavoukian says it’s time for updated legislation so the country can keep up with the global pace.
“Canada was on par with the former EU privacy law and we traded with them without any concern, but GDPR is leaps and bounds ahead. Our federal privacy commissioner Daniel Therrien has called for an upgrade of the law because so much has changed since the early 2000’s and we’re obviously behind that,” she agrees.
While the US s struggles with rampant surveillance and no independent commissioners, Cavoukian doesn’t see Canada going down the same path as its southern neighbour.
“We do fare much better than the US and I don’t think we’ll go in that direction. Over my dead body,” she laughs. “We’re much more closely aligned with the EU on privacy measures and I’m pleased with federal commissioner Therrien’s approach in trying to update Canada’s regulations.”
Cavoukian is hopeful for the future, convinced that emerging tech like AI will help Canadians find the right balance between security and privacy.
“We’re looking to fund research into embedding privacy in new technology because we need to pave the way and prove this is doable. My view is we have to believe this is possible; we don’t have a choice. If you value freedom and liberty, then you value privacy,” she concludes.
Companies covered under federal law will have to report data breaches to customers, affected third parties and the federal privacy commissioner starting November 1, the government has decided. However, Ottawa still hasn’t proclaimed the regulations that firms will have to follow, which is puzzling privacy law experts.
The proclamation of the implementation date for the long-awaited mandatory breach notification regime was made quietly March 26 by the cabinet in an order-in-council.
That gives companies seven months to prepare internal processes to comply with the regulations, including creating a record of any data breach. They have a rough idea of what’s coming because draft regulations were released last September. But until they are proclaimed details of exactly what companies have to do to comply are still unknown.
A news story Tuesday on the site iPolitics.ca, which discovered the March 26 announcement, appears to have caught everyone off guard. Some privacy experts thought that any data breach notification news would be tied in with the expected announcement of the government’s updated cyber security strategy. No data for that has been set.
“I’m surprised,” said Halifax privacy lawyer David Fraser of the firm McInnes Cooper, said in an interview today of the quiet announcement. “Given that this is one of the most significant amendments to our privacy law in years, and its something the government could easily spin as a good news story to consumers I would have thought the government would have wanted a little bit of traction around it.”
“It is a bit of a head-scratcher.”
At press time request this morning to the press spokespersons for the Industry Minister (now the ministry for Innovation, Science and Economic Development) had not replied to a question on when regulations wiill be proclaimed.
UPDATE: In a email Karl Sasseville, press secretary to Innovation Minister Navdeep Bains, said the final regulations will come into force “in the coming months.”
Under the data breach notification obligations companies
Companies in all provinces except British Columbia, Alberta and Quebec — which have their own privacy laws — as well as federally-regulated firms including banks, telecom companies and transporation firms, will be covered by the federal data breach notification obligations.
Firms have long known this was coming. The implementation of the data breach notification regime has been hanging around since June, 2015 and the passage of the Digital Rights Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). The breach notification section was suspended to give companies time to comment.
The draft regulations suggest organizations would have to keep a record of every breach of security safeguards for no more than 24 months after the day the breach has occurred. That time-line is only firm when the regulations are proclaimed.
Similarly, the proposed regulations wouldn’t impose a new method of record-keeping for breach reports. A copy of the report as sent to the federal privacy commissioner would be sufficient. Again, the record-keeping obligation is only set when the regulations are final.
The regulations also will set out exactly what information has to be sent to affected parties. The proposed regs say notification to possible victims has to include
– a description of the circumstances of the breach;
— the day on which, or period during which, the breach occurred;
— a description of the personal information that is the subject of the breach;
— a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
— a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
– a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
— information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.
You may have heard by now that new rules in the Canadian Digital Privacy Act (PIPEDA) are going into effect as of November 1st 2018. Among those rules is the new mandatory notification of any data breach. Organizations will need to promptly notify the affected individuals, third parties, as well as, the Privacy Commissioner of a data breach that can harm any individual known as ‘significant harm’ that includes bodily harm, reputation, humiliation, financial loss etc. A summary of the key changes to PEPIDA can be found here.
These new rules are important because our data is valuable to cybercriminals and they will be relentless in trying to infiltrate our networks. Cybercriminals are constantly evolving their techniques of attack at a much faster pace than defenders. The malware they use is designed to evade detection and as a defender, our ability to protect our organization and recover from a breach will be largely dependent on the steps taken to strengthen our security posture. Prevention is our key objective but a solid Remediation plan is equally important in the event of a breach.
1. THE BASICS: We need to get much better at dealing with the basics of cyber security. Patch your applications, operating systems and appliances, make sure you follow your corporate policies around patch management and if needed update your procedures. A great example is described in Cisco’s Annual Cybersecurity report where Microsoft warned about a vulnerability that triggered WannaCry in March 2017 and only after the exploit made the headlines did organizations accelerate their patching activities. Over 2 months elapsed leaving organizations vulnerable to the exploit during that period.
2. THE FIRST LINE OF DEFENSE: Implement a multi-layered security strategy that leverages the internet infrastructure to block malicious destinations. Leverage the cloud to block dangerous connections from being established and stop malware from reaching the network and endpoint. Cisco Umbrella provides a first-line-of-defense with a solution that requires no hardware, no software and can be easily deployed across the entire enterprise in minutes. Powered by Talos threat intelligence, Cisco Umbrella provides protection for users ON and OFF the network and will stop data exfiltration and ransomware encryption.
3. NUMBER ONE ATTACK VECTOR: Email continues to be the largest attack vector and the primary tool used by cybercriminals to distribute malware. 90% of breaches start with email because it takes threats directly to the endpoint. The attackers will use social engineering techniques combined with phishing, malicious links and attachments to deliver exploits to the endpoint. Having a ‘good enough’ email security solution is no longer good enough for defending your organization. Cisco’s offers best in class Email Security, that easily integrates with Microsoft Office 365 to provide customers with exceptional threat protection. Cisco’s Email Security solution is powered by Talos threat intelligence.
4. LAST LINE OF DEFENSE: If everything else fails, then your endpoint solution needs to provide protection against the threats; however, you cannot rely on your traditional anti-virus technology, advanced threats will go undetected and can be present in your network for months. Almost all endpoint security vendors claim to block 99% of malware, but what about the 1% that’s missed? The threats in that 1% is what we need to be concerned with, those are advanced and targeted threats that will evade front-line defenses, cause serious damage and steal valuable data. Click to uncover the 1% you care about.
Organizations need a Next Generation Endpoint Security that integrates Prevention, Detection and Response capability in a single solution. Cisco’s AMP for Endpoint is the last line of defense that continuously monitors and analyses files in your network to uncover the 1% of threats that other solutions miss. If a file that appeared clean upon initial inspection suddenly exhibits malicious behavior, AMP for Endpoint will detect the change, contain and remediate the threat and will include a full history of the file activity for forensic purposes.
Are you ready in the event of a breach? Did you know that 60% of breaches have data exfiltrated in the first 24 hours. What is the plan? Pull the network cable to the internet to stop threats from spreading. Cisco Security Advisory Services can help with Incident Response Services.
1. READINESS: Proactive Services include several activities to make sure you are ready in the event of a breach. We evaluate a number of data points to obtain a deep understanding of your environment and your practices. We will coordinate and perform threat hunting work with your team to look for vulnerabilities, malware and active compromises in your environment. We act as a 3rd party in table top exercises to evaluate the effectiveness of your existing Incident Response plan. Based on our findings, we will prioritize our recommendations and will assist in preparing the environment to better prevent, detect and respond to future incidents. Review Incident Response Readiness & Retainer at-a-glance.
2. RETAINER: Reactive Services are needed when you have an inevitable security incident. The Cisco team goes into action within 4 hours and will be onsite with 24 hours of the incident report. The team will assess the situation and initiate a response; they will co-ordinate status, action items and provide updates as needed. The team will do a deep investigation to understand the scope of the attack, deploy the necessary tools to perform forensics and quarantine the attack. Once contained, the team will remove all malware and tools left behind by the attackers. If needed we will bring in our crisis communications team to manage any external breach communication. Review Incident Response e-book.
Speak to your account manager about the Ransomware Defense Bundle.