Technology

Graph Search and ‘Risky’ Communicative Domains

/ Christopher Parsons

Photo by Lynn Friedman

There have been lots of good critiques and comments concerning Facebook’s recently announced “Graph Search” product. Graph Search lets individuals semantically query large datasets that are associated with data shared by their friends, friends-of-friends, and the public more generally. Greg Satell tries to put the product in context – Graph Search is really a a way for corporations to peer into our lives –  and a series of articles have tried to unpack the privacy implications of Facebook’s newest product.

I want to talk less directly about privacy, and more about how Graph Search threatens to further limit discourse on the network. While privacy is clearly implicated throughout the post, we can think of privacy beyond just a loss for the individual and more about the broader social impacts of its loss. Specifically, I want to briefly reflect on how Graph Search (further?) transforms Facebook into a hostile discursive domain, and what this might mean for Facebook users.

Continue reading

Smart Chip, Simple Illusions: NFC and the BC Services Card

/ Christopher Parsons / 2 Comments
This is a guest post from my colleague, Adam Molnar, who has been conducting research on the BC Services Card. Adam is a PhD Candidate in the Department of Political Science at the University of Victoria and a member of the New Transparency Project. His dissertation research focuses on security and policing legacies associated with mega-events. You can find him on Twitter at @admmo

Image by Pierre Metivier

In just two weeks, the province of British Columbia will be launching the new BC Services Card. If you haven’t already heard about the new province-wide identity management initiative, it’s not your fault; the government only began its public relations campaign for the Services Card initiative six weeks before the card was set to hit wallets and hospitals across the province. In fact, the government’s been so unforthcoming about the new Cards that, just six weeks before it’s release, the British Columbia Office of the Information and Privacy Commissioner is racing to adequately review the program. To be clear: this isn’t a new initiative, but one going back several years. The unwillingness to disclose the documents necessary for the Commissioner’s review is particularly troubling since the Services Card is just one component in a much larger transformation of the province’s movement to its integrated identity management program. Will similar tardiness to assist the province’s privacy czar pervade this entire transition? Will the public be as excluded from future debates as they have from the Services Card development and deployment regime?

The Services Cards feature a host of security enhancements, including layered polycarbonate plastics, embedded holography, laser etchings for images and text appearing on the card, and the integration of a Near Field Communications (NFC) chip. For this post, I focus exclusively on the NFC chip, that is meant to ‘secure’ your identity when presenting the card to government agencies, either in person or online.

The BC government has been touting NFC as an enhanced security feature in the Services Card initiative. While this technical feature might enhance the perception of privacy (especially when buttressed by official provincial political rhetoric), they actually entail serious flaws. These flaws could leave the personal information of BC residents and government databases vulnerable to attack; the security ‘features’ could be the beachhead that leads to serious privacy breaches.

Continue reading

Biometrics and the BC Services Card

/ Christopher Parsons / 3 Comments

Image by kentkb

Anti-fraud capabilities are touted as a major component of the proposed BC Services Card. While the government is almost certainly overstating the issue of fraud, the political rhetoric around fraud doesn’t inherently mean that proposed anti-fraud mechanisms will be similarly overstated. Indeed, many of the Services Card’s suggested changes could be helpful in limiting the issuance of fraudulent identity documents; adding a card holder’s photo, an expiry date, and anti-counterfeiting technologies to new medical CareCards could be quite helpful in ascertaining, and addressing, fraud levels. Unfortunately, the biometric systems that will also be linked to the Services Cards are unlikely to significantly defray fraud.

In this post I continue my analysis of the BC Services Card, this time with a focus on the cards’ integration with biometric analysis technologies. I begin by giving a primer on the origins of biometric analysis for identity documents in BC, and then move to outline how the government asserts that the biometric analyses should work. I then explain why adopting biometric identifiers matters: why don’t they tend to work? what is at stake in their inclusion? I conclude by (re)suggesting some entirely reasonable security processes that might defray fraud without needing the cards’ proposed biometric properties.

Continue reading

Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking

/ Christopher Parsons

Image by fake is the new real

For the past several months I’ve been conducting research with academics at the University of Victoria to understand the relationship(s) between social networking companies’ data access, retention, and disclosure policies. One element of of this research has involved testing whether these networks comply with the Personal Information Protection and Electronic Documents Act; do social networks provide subscribers access to their personal data when a subscriber asks? Another element has involved evaluating the privacy policies of major social networks: how do these companies understand access, retention, and disclosure of subscriber data? We’ve also been investigating how law enforcement agencies access, and use, data from social networking companies. This research has been supported by funding provided through the Office of the Privacy Commissioner of Canada’s contributions program. All our research has been conducted independently of the Office and none of our findings necessarily reflect the Commissioner’s positions.

Colin Bennett presented a draft of one of the academic papers emergent from this research, titled “Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking: Canadian Policy and Corporate Practices.” It was given at the 2013 Computers, Privacy and Data Protection Conference. Below is the abstract of the paper, as well as a link to the Social Science Research Network site that is hosting the paper.

Abstract:

In this paper we analyze some of the practical realities around deleting personal data on social networks with respect to the Canadian regime of privacy protection. We first discuss the extent to which the European right to be forgotten is, and is not, reflected in Canadian privacy law, in regulation, and in the decisions of the Office of the Privacy Commissioner of Canada. After outlining the limitations of Canadian law we turn to corporate organizational practices. Our analyses of social networking sites’ privacy policies reveal how poorly companies recognize the right to be forgotten in their existing privacy commitments and practices. Next, we turn to Law Enforcement Authorities (LEAs) and how their practices challenge the right because of LEAs’ own capture, processing, and retention of social networking information. We conclude by identifying lessons from the Canadian experience and raising them against the intense transatlantic struggle over the scope of the new Draft Regulation.

Download paper at SSRN (Download from alternate source)

How To Get Your Personal Information From Social Networks

/ Christopher Parsons / 5 Comments

Photo by Evan Long

Canadian news routinely highlights the ‘dangers’ that can be associated with social networking companies collecting and storing information about Canadian citizens. Stories and articles regularly discuss how hackers can misuse your personal information, how companies store ‘everything’ about you, and how collected data is disclosed to unscrupulous third parties. While many of these stories are accurate, insofar as they cover specific instances of harm and risky behaviour, they tend to lack an important next step; they rarely explain how Canadians can get educated on data collection, retention, and disclosure processes.

Let’s be honest: any next step has to be reasonable. Expecting Canadians to flee social media en masse and return to letter writing isn’t an acceptable (or, really, an appropriate) response. Similarly, saying “tighten your privacy controls” or “be careful what you post” are of modest value, at best; many Canadians are realizing that tightening their privacy controls does little when the companies can (and do) change their privacy settings without any notice. This post is inspired by a different next step. Rather than being inspired by fear emergent from ‘the sky is falling’ news stories, what if you were inspired by knowledge that you, yourself, gained? In what follows I walk you through how to compel social networking companies to disclose what information they have about you. In the process of filing these requests you’ll learn a lot more about being a member of these social networking services and, based on what you learn, can decide whether you want to change your involvement with particular social media companies.

I start by explaining why Canadians have a legal right to compel companies to disclose and make available the information that they retain about Canadian citizens. I then provide a template letter that you can send to social networking organizations with which you have a preexisting relationship. This template is, in effect, a tool that you can use to compel companies to disclose your personal information. After providing the template I explain the significance of some of the items contained in it. Next, I outline some of the difficulties or challenges you might have in requesting your personal information and a few ways to counteract those problems. Finally, I explain how you can complain if a company does not meet its legal obligation to provide you with a copy of your personal information. By the end of this post, you’ll have everything you need to request your personal information from the social networking services to which you subscribe. Continue reading

The BC Services Card and Confused Public Outreach

/ Christopher Parsons

Photo by Jonny Wikins

Last week members of the BC government engaged in a media blitz to promote the proposed BC Services Card. As part of the blitz, BC’s Health Minister gave an interview to CBC’s All Points West to explain some of the proposed Services Card’s features. As a key Minister involved in the Services Card she understandably has been an outspoken advocate for the new initiative. Previously, BC’s Health Ministers have stridently argued that the Services Card would defray fraud, though this rhetoric has since been toned down: now the cards will remedy unknown levels of fraud, save unknown amounts of money, and facilitate undetermined kinds of data migration across government.

In what follows, I analyze the Minister’s interview with CBC to identify the confused and problematic nature of the Services Card, as it is being presented to the public. I start by noting an area where I think most residents likely support the government – some basic updates to the present CareCards – and then proceed to deficiencies in how the Minister is introducing the new Cards. I conclude by focusing on the frankly bizarre methods that the provincial government is using to ‘sell’ the card to the public and ask whether these cards could be a significant election issue later this year.

Continue reading