You Might be Interested In

Today is Data Privacy Day, an opportunity for us to highlight the impact that technology is having on the privacy rights of Canadians and to reflect on the importance of valuing and protecting personal information. To drive home this point, we’ve chosen the slogan “The Net never forgets. Remember to protect your personal data” for our activities celebrating the day.

This year, our Office has developed a passel of resources designed to support Data Privacy Day initiatives all over Canada. We’ve developed posters and web graphics, fact sheets offering workplace tips on protecting information on mobile devices, and we’re running an online draw for a 2GB encrypted USB flash drive. We’ve shared many of these products with our provincial and territorial counterparts to complement their own activities to mark the occasion.

Here at the OPC, we’re holding an all-staff event underlining the importance of safeguarding data from the point you collect it, use and keep it, and ultimately dispose of it. We’ll be exploring a variety of methods for safely disposing electronic data, including an interactive demonstration on how to safely and effectively render a hard drive unreadable using tools you have at home. In an educational but light-hearted way, we hope to drive home the importance of protecting personal data!

Many people will be getting shiny, new wireless gadgets this holiday season. This might be a new smart phone, a laptop or netbook computer, or a tablet such as the iPad. One of the most attractive features of these devices is that they can connect to the Internet wirelessly, using Wi-Fi networks found in homes, offices, and many public locations (hotspots). This is a great feature, but it does come with risks.

Many wireless networks offer no data protection, so people nearby can eavesdrop on the wireless signals and monitor what you are doing online. Even more frightening, new tools such as Firesheep allow other people to easily hijack wireless Internet connections, take over sessions with various online services (email, Facebook), and impersonate you online.

There are some ways that you can reduce these risks.

If you set up a wireless network at home or in the office, make sure that you enable the security features that are included with your wireless router. It should only take a couple of minutes. At a minimum, you should:

1. Change the default administrator password, since these passwords are shared by all devices made by the same manufacturer and they are well known.
2. Change the wireless network name (known as the SSID) to something that is unique, but not related to your real identity (e.g., “mynewnetwork” instead of “TheSmithNetwork”).
3. Turn on wireless encryption (preferably WPA2 or WPA) and choose a long, complicated password. You don’t need to memorize it and you can write it down. You will have to enter it once in each new device that joins the wireless network.

The exact steps that you follow to change these settings depends on the type of router you are using, so read your instructions.

But you don’t just want to use your new gadget at home or work, you want to take it with you. Most public wireless services, such as the ones you find in coffee shops, don’t turn on wireless encryption. So you need to find other ways to protect your data from eavesdroppers. There are a number of ways to do this:

• Find another way to connect to the Internet when away from the home or office. Your wireless device may also have a cell phone feature, and connecting to the Internet over the cell networks can be more secure than public hotspots, but it does cost money. You can even connect some laptops and notebooks to cell networks using a feature called “tethering”, but make sure that your cell plan allows it and you have a large enough data plan.
• When connecting to a website (like an email service), choose sites that offer secure connections (ones that have “https” in the address instead of “http”). Some services are now offering secure connections by default (e.g., Google Mail) and other services often have a secure connection available. Try changing the address in your browser from “http” to “https”, but make sure that the site doesn’t just turn back to “http” once you’ve logged in. For Firefox (an alternative web browser you can download), there are helpful plug-ins, such as HTTPS Everywhere and Force-TLS, which try to ensure you are using an “https” connection wherever it is supported. There are no equivalent tools for Internet Explorer.  (In fact, you should be looking for web services that offer secure connections regardless of what kind of Internet connection you are using. It is just good practice, and more websites should be using “https” by default. If a service you use does not offer secure “https” connections, ask them to start.)
• Make your own secure connection by using a Virtual Private Network (VPN). VPNs protect your network traffic starting at your computer and ending at a remote VPN server. If you don’t already have access to a VPN (often provided by workplaces for their employees), low-cost and advertising-supported VPN services are available. VPNs do take a bit of work to set up, but they are worth it. Tech-savvy people can set up their own secure connection back to their home using an SSH tunnel.

So, enjoy your new wireless device, but be careful when using unprotected connections to the Internet. Set up a secure wireless network at home or work; look for services that offer secure “https” connections; and protect yourself using a VPN.

The Office of the Privacy Commissioner of Canada (OPC) is holding the first armchair discussion in its Insights on Privacy Speakers’ Series. Our first event will take place on Friday, December 10th with Chris Soghoian and Jesse Hirsh. Chris and Jesse will report from the frontiers of the privacy landscape and give their thought-provoking insights into what the future of privacy might look like. Known as stimulating speakers, Chris and Jesse will no doubt push some boundaries and engage the audience on their assumptions and understanding of privacy, identity and reputation online.

Chris Soghoian (dubfire.net, @csoghoian on Twitter) is a Ph.D. Candidate in the School of Informatics and Computing at Indiana University. His research interests include data security and privacy, cyber law, policy as well as phishing and other forms of applied deception. He has consulted for, worked at or interned with the Berkman Center for Internet & Society, the Palo Alto Research Center (PARC), and the Electronic Privacy Information Center (EPIC), Google, Apple and the U.S. Federal Trade Commission (FTC).

Jesse Hirsh (jessehirsh.com, @jessehirsh on Twitter) is an internet strategist, researcher, and broadcaster based in Toronto, Canada. He has a weekly nationally syndicated column on CBC radio explaining and analyzing the latest trends and developments in technology using language and examples that are meaningful and relevant to everyday life.

The Insights on Privacy Speakers’ Series is a series of armchair discussions hosted by the OPC to shed light on new and provocative voices doing interesting work in the field of privacy. Drawing from a variety of fields and disciplines, we hope to bring new perspective to privacy research, both within the OPC and outside of our office.

Space is limited and is available on a first come first served basis. Please RSVP before December 6th.  Simultaneous interpretation for both official languages will be available.

When:    3:00-4:30 p.m. Friday, December 10, 2010
Where: Minto Suites Hotel, 185 Lyon Street North, Ottawa, Ontario
RSVP: knowledge.savoir@priv.gc.ca

Some of our public education efforts at the OPC focus on talking to young people about online privacy. How they face the challenges of controlling their information online and protecting their privacy is an important skill to surviving – and thriving- in a digital environment. Increasingly, we see it as part of a suite of skills necessary for digital citizenship.

Through our presentations to young people, their teachers and parents, we’ve gained some wonderful insight into how kids use these tools to not only connect and share with other people, but also restrict access to their information and manage their identities online. We’re also learning a lot about what they already know, what they’d like to know, and what they don’t care to know when it comes to online privacy. These firsthand observations, paired with a growing body of work done by researchers like Valerie Steeves, danah boyd, Sara Grimes, the Pew Research Center and others, are helping us shape our public education and outreach efforts for young people.

Recently at the annual International Conference of Data Protection and Privacy Commissioners, danah boyd gave a talk entitled “The Future of Privacy: How Social Norms Can Inform Regulation”.  The entire talk is worth reading for her observations on how young Americans navigate the public/private divide in ingenious ways.  But among the things that struck me most, was this:

Participation in a networked era means that people are exposed in entirely new ways.  Interactions are increasingly public-by-default, private-through-effort.  People will make an effort to keep personal and intimate information private so as to not be embarrassed or vulnerable in front of people that they care about.  But we are not yet at a point where people have any model for thinking through what an algorithmic society looks like.  People don’t know how data about them and their interactions with others is being used to build data portraits.  They don’t know how algorithms are judging them.

How is our data collected? How are algorithms swallowing up this information and spitting out fairly accurate profiles of ourselves? These are some of the questions we need to be able to answer in order to fully navigate that public/private divide.

Often, “digital literacy” skill sets focus on the soft skills required to navigate in a digital world. But in doing so, perhaps we’re neglecting something quite fundamental to digital literacy – knowledge of the language(s) of computers themselves.

As Douglas Rushkoff recently wrote:

When human beings acquired language, we learned not just how to listen but how to speak. When we gained literacy, we learned not just how to read but how to write. And as we move into an increasingly digital reality, we must learn not just how to use programs but how to make them….

At the very least we must come to recognize the biases – the tendencies- of the technologies we are using, and encourage our young people to do the same.

Basic programming  could be the piece of the puzzle that young people need to fully understand how the digital world works, and how they can change it.

Last week, you may have heard about Firesheep, a plug-in for the Firefox web browser that lets an eavesdropper take over another user’s session—such as a login to Twitter or Facebook—by intercepting packets on a local network and copying the victim’s cookie.  What Firesheep does is to take advantage of a known security flaw and make it easy to exploit, by carrying out sidejacking (or session hijacking). There are two main parts to this exploit:

1.       The attacker needs to be able to “sniff” the network packets, in order to grab the cookie. Firesheep doesn’t do that by itself, but works with packet capture software that comes standard on many computers (or can be freely downloaded). The attacker places himself on the same network as the victim – such as a wireless hotspot in a coffee shop – and if the network is unencrypted, the attacker can eavesdrop on all traffic that flows over the wireless link.
2.       Firesheep then monitors the network traffic, looking for a “cookie” to be sent. When you log in to certain websites, you first provide a username and password, which are often sent encrypted. (You’ll see “https:” in the URL of encrypted pages.)  However, after you log in successfully, some sites use a session cookie that stays active during your login: anyone who captures and sends that cookie to the originating website can mimic you. If you log in to Twitter, for example, session cookies are then sent between your computer and Twitter, which the attacker can then exploit to send tweets under your name.

The attacker doesn’t need to know your password: the website will simply believe the attacker is you, because they have your cookie. Many websites only protect the login page (encrypting your username and password), but turn off the encryption on the rest of the website. Result? Cookies are sent in the clear (unencrypted), attackers can intercept them, then hijack your session and gain access to your account. There is no way to detect that someone else on your Wi-Fi connection is using Firesheep. This vulnerability has been noted on a number of websites, including Flickr, Tumblr, and WordPress.

Although Firesheep garnered a lot of coverage, this is not a new problem. Its author points out that sidejacking tools already existed, and that Firesheep is simply a more user-friendly tool. However, Firesheep’s ease of use and its subsequent publicity shone a spotlight on a persistent security problem, making more people aware of this vulnerability and highlighting the need to address it.

Preventing the transmission of unencrypted cookies

Website operators can deploy encryption to protect their session cookies.

• For website operators:  Wherever possible, websites should ensure that cookies are not sent in the clear, by using encryption (SSL/TLS/HTTPS) on more than just the login page. Some sites provide this feature by default, and others as an option—by default is definitely preferable. At a minimum, if you provide HTTPS as an option, then publicize it so your users know about it.  (You can also set the HTTP Strict-Transport-Security header and turn on the Secure option for session cookies so that browsers send them only over SSL connections.)

There has been some resistance to deploying SSL, due to fears that the performance hit is too high. However, this is an outdated idea in most cases: the overhead is minimal, and services like Google’s Gmail have successfully deployed SSL for entire sessions (not just for the login portion). SSL has low costs and provides huge gains for protecting your users.

• For website users: if you have an account on a website (like a social networking site), check for an “https://” version of that site – making sure that the site doesn’t just turn back to “http:” once you’ve logged in. For Firefox users, there are helpful plug-ins, such as HTTPS Everywhere and Force-TLS, that try to ensure you are using an https:// connection wherever it is supported. (Note that sometimes a site just doesn’t make https:// available – in which case these plug-ins can’t provide you with extra protection, unfortunately.)

Protecting cookies that are being sent unencrypted by a website

If https:// is not provided on a site, then users can take steps to put encryption in place.

• You can use a virtual private network (VPN), which acts like a middleman to provide encryption for you. VPNs encrypt and transmit your network traffic from your computer to a remote server, which then connects to the actual website. If you don’t already have access to a VPN (often provided by workplaces for their employees), low-cost and adware-based VPN services are available. (Those with the technical ability and interest to try a free/alternative solution can set up an SSH tunnel.)

This solution does have some drawbacks. You can only guarantee encryption over part of the network—and the final connection to the destination site may be unencrypted—but it is likely that your traffic is much harder to intercept if you use a VPN. Another downside is that a VPN does require some effort (and possibly cost) to set up, and may sometimes not work reliably. However, this may be users’ only real option, while the website operators roll out their own sidejacking solutions.

Just don’t go there?

One simple solution that has been suggested is to stop using open Wi-Fi networks: lock down your own Wi-Fi, and don’t use public open Wi-Fi networks. As with many simple solutions, this is a stopgap measure that only partially addresses the problem. Fundamentally, the problem is not about wireless. It’s about the dangers of transmitting sensitive information— unprotected—over any kind of network, wired or wireless. It’s unwise to assume the network will protect you: consider secured Wi-Fi as a bonus, not a guarantee.  So, while there are some benefits to limiting access to a wireless network and turning on encryption, this is not a “silver bullet” to stop Firesheep: end-to-end encryption is required for a truly effective security solution. Wireless security, where provided, should be in addition to https://—not instead of it.

Steel wool: armouring yourself

The takeaway message is that both websites and users have a role to play in dealing with sidejacking. While the ultimate solution requires websites to roll out SSL, the steps you can take as a user are:

• If you do use open Wi-Fi, without the additional protection of a VPN, limit your activities to low-risk ones, like reading the news. If you must log in to an account, like a social networking site, then try to ensure you’re on a site that uses “https://” throughout – which protects your cookies — not just on the login page. (Firefox users can try the plug-ins listed above to help them.) If https:// is not provided, and you have no VPN, then you have no protection – bad idea.

• For better security, use a VPN, which provides another layer of protection through encryption. This will help you whenever you use untrustworthy networks. You can subscribe to a VPN service, in order to make this task easier.

• Let website operators know that you want them to provide more secure connections for your accounts: ask them to deploy https:// throughout their sites to protect your information.

Have you ever looked yourself up online and wondered how companies you have never heard of know your name? Where did they get your information and what are they using it for?

Data brokers were the subject of a recent article in The Wall Street Journal’s “What they Know” series on online privacy. Data brokers collect personal information from various sources such as public registries, telephone listings, product registration cards, and, notably, online social network sites and blogs.  The information is then compiled into profiles and sold – to marketing companies, to individuals through “people finder” websites, to fundraisers.

In the past, data brokers relied primarily on organizations like retailers, subscription services, payment processing companies and charitable organizations to share their customer information by renting or selling customer lists. The lists would typically include names and contact information together with attributes like income, age group, number of children, purchase history, and interests. Data brokers would combine these lists with information from other sources, like survey and census data, to generate specialized lists they would then sell to marketers.

Now that we spend more and more time in a digital world, data brokers are able to tap into a wealth of rich new data sources.  Vast amounts of customer information is being stored online. Public records, like court decisions, no longer live in musty filing cabinets but can be accessed by anyone anywhere with the click of a mouse.  Our actions online – where we go, what we do – are tracked and recorded.

And then there is the information that we voluntarily share on social networking sites, blogs, chats and other social media services. Data brokers say this information has been made public and therefore should be free for the taking. Privacy advocates argue that combining and repurposing data exposes individuals in ways they may not have anticipated or consented to. Why do Canadians chose to reveal personal information online? Privacy by obscurity is a theme we at OPC often hear when we ask that question. “I’m not a celebrity so why would anyone be interested in what I post?” Data brokers are interested because collecting and selling your information is how they generate revenue.

The implications of having so much of our personal information out in the ether are only beginning to be understood. Industry practices are not transparent and the average person knows little about companies that routinely harvest online information.  We have seen reports of information gathered from blogs and chats being used to help determine creditworthiness. But would we even know if that happened to us? And would we know how to stop it?

Many of these companies are based in the U.S., where consumers have to navigate a patchwork of laws and regulations that for some will mean being able to opt out of tracking or having information removed from brokers’ databases.  Here in Canada, we are more fortunate.  Canadian private sector privacy law gives individuals the right to see what information data brokers have about them, ask them to correct inaccurate information, and request that the information be deleted.  The only exception is contact information that appears in a public directory such as a telephone book.  American companies which operate in Canada are also subject to our privacy law. If, after contacting a data broker, you are not satisfied with the response, you can file a complaint with us.

You can also try to limit what information you willingly give away.  Be more selective when posting online, restrict your privacy settings, and think twice about filling out that customer satisfaction survey or warranty card. Stay vigilant and let us know if you come across practices that cause you concern.

With new technologies emerging all the time, it can be hard to stay in the loop in terms of privacy. Many applications and websites have privacy settings, but using them might not always be straightforward or obvious (or even seem to matter), especially to youth. That’s why the Office of the Privacy Commissioner of Canada is proud to be a sponsor of the Youth Privacy Online Conference in Toronto, held on Wednesday, December 1^st.

Social networking websites, as well as a variety of interactive applications on the internet, are a facet of daily life for today’s youth. Along with these new technologies comes the risk that many people using and interacting with the platforms do not understand how to ensure the safety of their personal information, or even of their person. This can result in such things such as identity theft, luring, and loss of employment, among a range of other consequences.  

The conference will feature speakers from Canada, the US, and the UK. It will be a forum for discussion, debate and inquiry that will focus on different approaches to protecting children’s privacy online. With the amount of time they spend on the web, youth privacy is a very prevalent subject in the media. This conference will be useful for people working with youth and give them a general idea of how to protect their privacy.

Click here for more information.

By now, many of you have heard of the information that is “leaking” from Facebook applications, and how this wide-ranging problem might affect your personal privacy.

On Monday, the Wall Street Journal continued its online privacy series by reporting that many popular Facebook applications leak personal information – in the form of Facebook user IDs – to online advertisers.  A Facebook user ID is a unique number issued to every user of the site, and is part of a person’s public profile: you cannot restrict access to your user ID simply by modifying your account’s privacy settings.

When you visit a web page, browsers typically report the URL of the page you were viewing before you clicked over to the current page: this is known as the “referrer” URL.  A Facebook app is often loaded on the same web page as third-party ads. When these ads are fetched (to be loaded onto the page), the application tells the advertising network the URL of the current page that is loading their ad. In the case of many Facebook apps, this URL contains the unique user ID of the person who loaded the page. This ID can then be used to identify that specific user – it is linked to public profile information like their full name.  The URL (with the ID) is sent even if the user does not click on any ads.

This is not the first time it has been the subject of discussion. It was raised in a research paper in August 2009 and – in a similar context – described in an earlier WSJ article about Facebook ads. A lawsuit has been filed in California that alleges that Facebook has shared personal data with advertisers.

Current debate around the privacy implications of referrer information has also included criticism of the statements made in the WSJ article. Some commentators found the article alarmist, and others pointed out that these issues are not specific to Facebook, but are a wider web privacy concern. Indeed, the broader privacy implications of referrer data have also been recently raised as part of a complaint to the Federal Trade Commission about Google’s use of referrer headers.

It is important to note that using referrer data is, by itself, a legitimate practice. The web standards that underpin how information and instructions are communicated across the internet allow browsers to send the referrer field as an optional part of a request to a web server. However, there is flexibility as to exactly what information is included in the referrer header, and also whether users allow their browsers to send referrer data in the first place. Harlan Yu outlined a number of solutions in a timely blog post; these include omitting IDs from the web request, using placeholder IDs instead of real Facebook IDs, and improving browsers to give people better control over the transmission of referrer data.

One prominent member of the web community co-wrote an Internet standard document that pointed out privacy concerns of referrer data:

Note: Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer…information.

The co-author? Tim-Berners Lee (considered the father of the web), in 1996. The privacy debate continues…

Understanding how we construct and manage our online reputations is crucial in our understanding of how people determine what to make public and what to keep private in online environments. The interview below, with Firefox’s Creative Director Aza Raskin, has some interesting observations on what the construction of identity and memories could look like in the future. Also, around 4:35, he talks about the work Mozilla has been doing to create a set of privacy icons in the style of Creative Commons licences to help people understand how their data is being collected and used.

We’re launching our 2010 My Privacy & Me Video Contest for 12-18-year-olds – and the first-place winners will win an iPad!

It’s the same thing this year – but a little different, too! Again, we’re asking them to create their own public service announcements about privacy. But this year, we’d like the videos to fall into one of four categories: Surveillance; Reputation Management; Targeted Advertising; or Online Scams. You can find all contest details here.

This year, teams can consist of one to three people. First-place winners in each category will win an iPad. Second-place winners will win a $200 gift card; and third-place winners will win a $100 gift card. We’ve recognized top-participating schools and teachers in the past, and we have something in store for them in 2010! The deadline is December 10, 2010.

For inspiration, sit down with your young ones and watch the 2009 winning videos. Then, have them start exercising their video-making muscles – we can’t wait to see what they’ve got!