Sunday, December 19, 2010

Who Owns Our Data?

When considering the ownership of information about a person, we need to consider a number of factors. Initially, we need to establish who generated the information as this will impact the entitlement to store and access the information. For example, Social Insurance Number (SIN) is generated Service Canada when a person is born or immigrates to Canada, therefore there is legitimate business need to store the information in its database. On the other hand, if the information was generated by a different entity (even the person itself), it is questionable if the government has a legitimate need to access that information. Although the legal complexity increases as the technology advances and more and more information is stored, in majority of countries the ownership of the data is governed by a law or a privacy act.
Whereas, as mentioned by Jones, Andy, Glenn S. Dardick, Gareth Davies, Iain Sutherland, and Craig Valli (2009) “there has also been an increasing trend in the use of the same computer to process and store both the organisation’s and the individuals personal information” therefore in corporate environment the lines are more blurry. For example, if a person uses corporate resources to send and receive Email messages containing private information, does the organization have a potential entitlement for the information?
To thoroughly examine the complexity of data ownership, consider the following scenario. An employee is required to provide medical, credit and personal (previous employment, skills, etc.) information prior to employment. Then, an employer generates information about the employee such as salary, weekly utilization and performance measurement. Finally, during the employment the employee generates information such as documents, software code, idea and thoughts which could be owned by the organization or by the employee itself. The last case is usually covered by an employment contract but the other cases are not always defined by a contract or an applicable legislation.


  • College, Mitchell A. 2010. "Disclosure and Secrecy in Employee Monitoring." Journal of Management Accounting Research 22, 187-208. Business Source Premier, EBSCOhost (accessed December 19, 2010).
  • Jones, Andy, Glenn S. Dardick, Gareth Davies, Iain Sutherland, and Craig Valli. 2009. "The 2008 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market." Journal of International Commercial Law & Technology 4, no. 3: 162-175. Academic Search Complete, EBSCOhost (accessed December 19, 2010).
  • Yekhanin, Sergey. 2010. "Private Information Retrieval." Communications of the ACM 53, no. 4: 68-73. Business Source Premier, EBSCOhost (accessed December 19, 2010).

Monday, December 13, 2010

Privacy and Data Protection Laws in Canada

Garrie and Wong (2010) state that “users of social networking sites (SNS) and platforms are realising that their personal information, given for what was believed to be a “limited purpose”, has been hijacked, sold, repackaged, misused, abused and otherwise laid bare to the world” therefore it is imperative that data protection frameworks are established by the government to protect personal information of its citizens.
On a federal level, Canada has two privacy laws: Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act. On a provincial level, laws such as The Personal Health Information Protection Act (Ontario), Freedom of Information and Protection of Privacy Act (Ontario), The Personal Information Protection Act (Alberta) and An Act Respecting the Protection of Personal Information in the Private Sector (Quebec) were declared by the federal Governor.
PIPEDA applies to private and public sector organisations “who collect, use or disclose personal information in the course of commercial activities” (Treasury Board of Canada Secretariat, 2003). The act which became a law in 2004 is divided into five parts and covers information about an identifiable individual including personal health information. The act establishes ground rules for collection, exchange and disclosure of the information covered under the act. The Office of the Privacy Commissioner of Canada (2005) summarizes PIPEDA as follows:
  • If your business wants to collect, use or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
  • You can use or disclose people's personal information only for the purpose for which they gave consent.
  • Even with consent, you have to limit collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.
  • Individuals have a right to see the personal information that your business holds about them, and to correct any inaccuracies.
  • There's oversight, through the Privacy Commissioner of Canada, to ensure that the law is respected, and redress if people's rights are violated.
The main difference between the PIPEDA and Privacy Act is the fact that PIPEDA is a consent-based act, meaning that you must have consent to collect, use or disclose information. The Privacy Act is authority-based, meaning that you must ensure that you have the legal authority to collect, use or disclose information (Treasury Board of Canada Secretariat, 2003).
While the majority of the legislation bodies are still in the game of “catch up” (Daniel B. Garrie and Rebecca Wong, 2010), Office of the Privacy Commissioner of Canada (OPCC) is proactively looking into technologies and the use of these technologies with potential privacy concerns. For example, a number of studies have been conducted to identify privacy issues related to the use of RFID and Street Imaging technology (i.e. Google Earth), as well as the use of credit card numbers and social networking sites. Furthermore, Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint against Facebook Inc. for noncompliance with the PIPEDA. According to Denham (2009), the central issues in the investigation was “whether Facebook was providing a sufficient knowledge basis for meaningful consent by documenting purposes for collecting, using, or disclosing personal information and bringing such purposes to individuals’ attention in a reasonably direct and transparent way”.
Furthermore, Kong (2010) notes that “after assessing the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, the European Commission deems the transfer of data to Canadian transferees subject to this Act legal” which results in additional business opportunities between the EU and Canada.


  • Austin, Lisa M. 2006. "Reviewing PIPEDA: Control, Privacy and the Limits of Fair Information Practices." Canadian Business Law Journal 44, no. 1: 21-53. Business Source Premier, EBSCOhost (accessed December 12, 2010).
  • Daniel B. Garrie and Rebecca Wong (2010), Social networking: opening the floodgates to "personal data". Computer and Telecommunications Law Review 2010, 16(6), p167-175.
  • Elizabeth Denham (2009), Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act [online]. Office of Privacy Commissioner of Canada. Available from: (accessed December 12, 2010).
  • Lingjie Kong (2010), Data protection and transborder data flow in the European and global context. European Journal of International Law 2010, 21(2), p441-456.
  • Office of the Privacy Commissioner of Canada (2005), Complying with the Personal Information Protection and Electronic Documents Act [online]. Available from: (accessed December 12, 2010).
  • Office of the Privacy Commissioner of Canada (2006), RFID Technology [online]. Available from: (accessed December 12, 2010).
  • Office of the Privacy Commissioner of Canada (2009), Captured on Camera - Street-level imaging technology, the Internet and you [online]. Available from: (accessed December 12, 2010).
  • Office of the Privacy Commissioner of Canada (2009), Truncated Credit Card Numbers - Why stores should print only partial credit card information on customer receipts [online]. Available from: (accessed December 12, 2010).
  • Rivkin, Jennifer. 2005. "What's a Pipeda?." Profit 24, no. 2: 11. Business Source Premier, EBSCOhost (accessed December 12, 2010).
  • Treasury Board of Canada Secretariat (2003), Personal Information Protection and Electronic Documents Act [online]. Available from: (accessed December 12, 2010).

Sunday, December 12, 2010

Data Protection – For the Rich Only?

“Preventing improper information leaks is a greatest challenge of the modern society” state Aldini and Alessandra (2008).There are virtually countless ways (channels) sensitive data can be leaked through. First, there is a question of the intent; data leakage could be intentional, for example through a disgruntled employee who wishes to take a “souvenir” home, or unintentional as a result of a simple misunderstanding of security best practices. Then, technical and business environment should be evaluated and assessed to determine the most efficient and cost effective way to safeguard the data.
When discussing data leakage and protection on the consumer market, the boundaries between intentional and unintentional data leakage blend. Security aware consumers are not disclosing information such as credit card numbers, bank accounts and birth dates publicly, therefore it is safe to assume that it is either published as a result of a lack of understanding of security best practices or the malicious information theft.
Chichowski (2010) notes seven technologies that could prevent or limit data leakage for small and medium businesses. These include hosted Email security, Web/URL filtering, anti-malware software, patch management and whole disk encryption. Google (2010) provides a similar checklist consisting of eighteen items to make sure information is secure. Based on Pareto principle, by implementing those technologies a consumer could reduce the overall risk of data leakage by 80%. The question arises: are these technologies for rich only?
Instead of using locally installed E-mail security software which is capable of filtering spam, detecting phishing attacks and scanning for viruses, a consumer could use web based Email accounts such as Google, Live and Yahoo, which provide different levels of security. For example, Google Mail provides all of the above mentioned capabilities in addition to free storage space.
A number of security software vendors, including segment leaders such as Symantec and Kaspersky, offer free anti-malware scans capable of detecting “viruses, Trojans, Spyware or other malicious codes” (Kaspersky, 2010). In addition, free security software such as McAfee SiteAdvisor and AVG LinkScanner allow users to check the reputation of each website before opening it in a browser.
Today update or patch management technologies are an integral part of operating systems and consumer applications. For example, Microsoft Windows 7, Ubuntu OS and Mac OSX all come with build in update manager, which informs the user when security and regular updates become available. On Ubuntu, patch management software updates applications managed by the operating system such as Open Office, Firefox Web Browser and Adobe Reader.
Full disk encryption technology intends to provide last resort protection in case a laptop or a desktop is stolen. Encrypting the data stored on non-volatile memory devices such as hard drive, solid state disk or removable USB device prevents malicious users from accessing the information stored. In additional to corporate solutions such as PGP Full Disk encryption and McAfee Endpoint Encryption , Check Point Full Disk Encryption, there is a number of free applications capable of protecting These are: Microsoft BitLocker Drive Encryption and TrueCrypt.
It is evident that the security aware businesses and consumers have a wealth of options when in comes to technological solutions to protect sensitive or personal information. According to AVG Technologies (2010) only “46% of identity theft victims installed antivirus, anti-spyware, or a firewall on their computer after their loss”, therefore the main problem lies in the security awareness of the users rather than in the availability or cost of data leakage prevention solutions. While in large enterprises, Chief Information Security Officer (CISO) is required to provide internal employees with the security awareness program to, the question that remains open is: Who is responsible for the educating the end user when in comes to consumer market?


  • Aldini, Alessandro, and Alessandra Pierro. 2008. "Estimating the maximum information leakage." International Journal of Information Security 7, no. 3: 219-242. Business Source Premier, EBSCOhost (accessed December 12, 2010).
  • AVG Technologies (2010), AVG LinkScanner [online]. Available from: (accessed December 12, 2010).
  • Chichowski, Ericka. 2010. "Sound the Alarm." Entrepreneur 38, no. 6: 54-59. Business Source Premier, EBSCOhost (accessed December 12, 2010).
  • Google (2010), Gmail Security Checklist [online]. Available from: (accessed December 12, 2010).
  • Kasperski (2010), Free Virus Scan [online]. Available from: (accessed December 12, 2010).

Saturday, December 11, 2010

Security and Ethical Impact of Technological Advancement

The advancement in computer technologies provides us with ever changing capabilities such as fast Internet access, larger storage capacity, mobile computing, electronic financial transactions, smaller and faster processors, cloud-based computing and virtualisation. . Those in turn are utilised by the consumers and businesses to expand their operations to previously unattainable domains. For example, in the banking sector computing resources are used for tasks such as calculating risk factors and facilitating monetary transactions. Complex models that once took hours to update can now be modified within seconds, and transactions which used to take days are now instantaneous. Another example is that “Cloud infrastructure can save 40% to 50% in up-front costs, allowing pricing model flexibility, including paying per use, low or no up-front costs, no minimum spent and no long term commitment” (Tisnovsky, Ross 2010).
Cloud computing is one of the faster growing technological and business segments in the IT industry. Both individuals and enterprises are questioning the controls in place to safeguard the information stored outside the “secure” corporate boundaries. Subashini (2010) notes that “security is one of the major issues which reduces the growth of cloud computing and complications with data privacy and data protection continue to plague the market.”
Additional concerns are privacy and compliance issues, especially for international enterprises. Different privacy acts and regulations require companies to safeguard their data and restrict its migration to different geographical locations. In addition to that, different countries and regions have different security standard and compliance models such as GLBA, HIPAA, SOX and PCI) which organizations are required to comply with, therefore it is imperative those aspects are reviewed and addressed. According to recent statistic published by Ernst & Young (2009) “Only 34% of polled entities indicated they had an established response and management process in regards to privacy related incidents, while 32% have a documented inventory of assets covered by privacy requirements”.
Furthermore, ownership and control are additional issues, which companies are concerned about when discussing the implementation of Cloud based computing. Legal issue in data ownership and the lack of complete control of access to the stored information cause difficulties to organisations manifesting themselves in a number of security related issues, such as backup and disaster recovery. Ross Tisnovsky (2010) notes that “customers need formal contractual clauses to ensure data remains available if the supplier goes out of business or is acquired and for data redundancy across multiple sites”.
Finally, consistency and accuracy of the information should be considered when migrating sensitive data to the Cloud based infrastructure. For example, Data Protection Act (DPA) 1998 requires entities to review the information stored for accuracy. When factoring in issues discussed previously such as ownership of the information and the control over the information, a process of ensuring accuracy and consistency of the information stored should be considered and, in some cases, be part of contractual obligation with the service provider.
Given the advantages Cloud-based computing offers enterprises to ensure that data and application migration follow best practices and standards of security such as Open Web Application Security Project (OWASP) “Cloud Top 10 Security Risks” and “Security Guidance for Critical Areas of Focus in Cloud Computing” by Cloud Security Alliance (CSA). Understanding security and ethical issues, adoption of security frameworks and periodic risk assessments associated with the use of a particular technology will reduce the negative exposure of the enterprise.


  • Bodde , D. L. 2004 Intentional Entrepreneur: Bringing Technology And Engineering To The Real New Economy, M.E. Sharpe
  • Bublitz, Erich. 2010. "Catching The Cloud: Managing Risk When Utilizing Cloud Computing." National Underwriter / Property & Casualty Risk & Benefits Management 114, no. 39: 12-16. Business Source Premier, EBSCOhost (accessed December 8, 2010).
  • Cloud Security Alliance (2009), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 [online]. Available from: (accessed December 8, 2010).
  • Ernst & Young. (2009). Outpacing change. 12th Annual Global Information Survey [online]. Available from:$FILE/12th_annual_GISS.pdf (accessed December 8, 2010).
  • Farrell, Rhonda. 2010. "Securing the Cloud-Governance, Risk, and Compliance Issues Reign Supreme." Information Security Journal: A Global Perspective 19, no. 6: 310-319. Business Source Premier, EBSCOhost (accessed December 8, 2010).
  • OWASP (2010), Cloud Top 10 Security Risks [online]. Available from: (accessed December 8, 2010).
  • Subashini, S., and V. Kavitha. "A survey on security issues in service delivery models of cloud computing." Journal of Network & Computer Applications 34, no. 1 (January 2011): 1-11. Business Source Premier, EBSCOhost (accessed December 8, 2010).
  • Tisnovsky, Ross. 2010. "Risks Versus Value in Outsourced Cloud Computing." Financial Executive 26, no. 9: 64-65. Business Source Premier, EBSCOhost (accessed December 8, 2010).

Sunday, December 5, 2010

Professional Ethics and Responsibility

According to Deborah Johnson (2008), the distinction between “guns-for-hire” and professionals is the fact that “guns for hire” will do everything in his or her capabilities for the prices. By contract, a professional will take responsibility for his or her action.
In an ideal world, every professional adheres to a core set of values of the profession. Ethical values include a value of human life in medicine, accuracy in auditing, integrity (among the others) in military and safety in engineering. Number of computer ethics bodies published and maintain code of ethics and conduct such as BCS, ACM and IEEE but due to variability in computing field it is difficult to define ethical behaviour of computing professional.
Since so many non-experts rely on a computer professional expertize, it puts the computer professional in a position of power. Furthermore, the result of a work conducted by a computer expert has direct and indirect impact on users of the product. “Computer experts generally work either as employees in organizations (including corporations, government agencies, and nongovernmental organizations) or as consultants hired to perform work for clients. Often their employer or client does not have the expertise to understand or evaluate the work being performed” Deborah Johnson (2008).
When we consider a role of a company (employer) and the impact of corporate policy and goals on a computer expert, the equation becomes even more complicated. Debora Johnson (2008) explains that “a computer experts might think of themselves as merely agents. They might presume that their client, employer, or supervisor is in charge and the expert’s role is merely to implement the decisions made by those higher up”. Furthermore, the role of a computer expert has a direct impact on the way an organization conducts business. Certain roles pf a computer professional could have conflicting interests with the business goals. For example, a security consultant should accurately identify security vulnerabilities and provide objective (vendor neutral) recommends without being compensated for up-selling a service or a hardware solution.
Debora Johnson (2008) summarizes that “computer experts aren’t just building and manipulating hardware, software, and code; they are building systems that help to achieve important social functions, systems that constitute social arrangements, relationships, institutions, and values.”


Internet Communication

When language is used by non native speaks, they tend to simplify the language. It is evident that English, as a lingua franca - “a language systematically used to communicate between persons not sharing a mother tongue” (Wikipedia, n.d.) is evolving with development of new abbreviations and slang, and easing grammar structure to simplify the language . Bill Templer (2009), notes that “we need a slimmer, sustainable lingua franca specially for trans-cultural working-class communication needs, a kind of 'convivial' English for the Multitude counterposed to English for Empire”.
At the same time, as human being we are constantly expressing emotions though facial expressions and gestures. In conversation, words, as well as body language are used to express our feeling, and in many cases slang is used to convey the message.
Similar process is happening to the language used for the online communication. For example, in China “as a result of the rapid development of computer-mediated communication, there has emerged a distinctive variety of Chinese language, which is generally termed Chinese Internet Language” (Gao, Liwei. 2006). English is not an exception and new abbreviations such as LOL (Laughing Out Loud), ROFL (Rolling On Floor Laughing), WILCO (Will Comply) *$ (Starbucks) and W8 (Wait) are widely used in online forums and chat rooms. Furthermore, according to Alla Markh (2004), different communicative situations involve different style of languages. Lexical and stylistic items of one style can be transferred to another style, in other words those can influence each other to a certain extent. For example, in the modern English language, abbreviation LOL appears not only in chats where it derives from, but also in the written and spoken language.
David Crystal (2009) explains that “abbreviations are a natural, intuitive response to a technological problem”. He argues that texters would not be able to use the technology (mobile phones, forums and chats) at all without having at least base knowledge in standard English writing system. In addition, the creation of abbreviation and slang should not be attributed to a younger generation influenced by the Internet. For example, the words “wot” (“what”) and “cos” (“because”) are part of English literary tradition and were used by Charles Dickens and Mark Twain. Furthermore, those words were given entry to Oxford English dictionary in the 19th century demonstrates that the language evolves with time to keep pace with society.


  • Crystal, David 2009, Txtng: frNd or foe?The Linguist, The Threlford Memorial Lecture, 47 (6), 8-11. Available from: (accessed December 5, 2010).
  • Gao, Liwei. 2006. "Language contact and convergence in computer-mediated communication." World Englishes 25, no. 2: 299-308. Academic Search Complete, (accessed December 5, 2010).
  • Markh, Alla (2004), Nonverbal Means of Expressiveness in Internet Communication. On the Material of English and Russian Chats. International Higher School of Practical Physiology.
  • Netlingo (2010), The List of Chat Acronyms & Text Message Shorthand [online]. Available from: (accessed December 5, 2010).
  • Templer, Bill. 2009. "A Two-Tier Model for a More Simplified and Sustainable English as an International Language." Journal for Critical Education Policy Studies (JCEPS) 7, no. 2: 187. EDS Foundation Index, EBSCOhost (accessed December 5, 2010).
  • Wikipedia (n.d.), Lingua franca [online]. Available from: (accessed December 5, 2010).