Connect with us

Technology

Canadians up in arms: Privacy without consent and the dangerous precedent

Avatar

Published

on

Canada data concept, DepositPhotos
Share this:

It’s the news that has taken Canada by storm of late, on Twitter, in the headlines, and in today’s parliamentary debate: Statistics Canada, Canada’s agency which issues statistical research on the state of Canada, its population, the economy and culture, unwittingly walked into the spotlight when Global News revealed the agency had asked TransUnion, a credit bureau that amasses credit information for many financial institutions to provide financial transactions and credit histories on approximately 500,000 Canadians, without their individual prior consent. The Liberal government has endorsed this move.

During the parliamentary debate, Conservative opposition Gérard Deltell declared,

If the state has no business in people’s bedrooms, the state has no business in their bank accounts either. There is no place for this kind of intrusion in Canada. Why are the Liberals defending the [Statistics Canada] indefensible? 

The data being demanded, according to Global News, consists of private information including name, address, date of birth, SIN, account balances, debit and credit transactions, mortgage payments, e-transfers, overdue amounts, and biggest debts on 15 years worth of data. Equifax, the other credit reporting agency that supports financial institutions in Canada has not been asked to provide data.

Francois-Philippe Champagne, Minister of Infrastructure and Communities was vague in his response. While he affirms StatsCanada’s upstanding practices in anonymizing and protecting personal data, he also admitted proper consent was not received,

StatsCan is going above the law and is asking banks to notify clients of this use. Stats Canada is on their side… We know data is a good place to start to make policy decisions in this country, and we will treat the information in accordance with the law. They can trust Statistics Canada to do the right thing.

Statistics Canada and the Liberal government failed to disclose the explicit use of this information, however,

By law, the agency can ask for any information it wants from any source.

I posed this question to former 3-term Privacy Commissioner, Ann Cavoukian, who currently leads the Privacy by Design Practice at Ryerson University, Toronto:

Ann Cavoukian Twitter

Ann Cavoukian Twitter

What’s troubling is that while the opposition cried foul, lashing out accusations of authoritarianism and surveillance, the latter outcome is not implausible.

According to Personal Information Protection and Electronic Documents Act (PIPEDA) Guidelines to Obtain Meaningful Consent, these are the main exceptions

  • if the collection and use are clearly in the interests of the individual and consent cannot be obtained in a timely manner;
  • if the collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
  • if disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records;
  • if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
  • if the disclosure is made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;
  • if required by law.

For Statistics Canada, its broad legal reach is enough for the agency to circumvent explicit disclosure of data use and permission. This alone sets a dangerous precedent that wrestles with current European GDPR mandates, which will be referenced in the updated PIPEDA Act, at a time yet to be determined.

However, this privilege will not make StatsCanada immune to data breaches, but in fact, will make it a stronger target for data hackers. According to the Breach Level Index, since 2013 there have been 13+ billion records lost or stolen, with an average of 6.3+ million lost on a daily basis. The increasing centralization of data makes this more likely. For Statistics Canada, which has been collecting tax filings, census data, location, household, demographic, usage, health and economic data, it is increasingly amassing its data online. According to National Newswatch, the dwindling survey completions and costly census programs have necessitated a move to compile information from other organizations such as financial institutions, which come at more reasonable costs and better data quality.

If this is the catalyst to aggregate compiled information, with the goal of record linking, it will unearth significant privacy alarms in the process. For StatsCanada, which has received significant government support because of the critical information it lends to policy decisions, there are looming dangers of being the purveyor of every Canadian’s private information, beyond data breach vulnerabilities.

Anonymized Data Doesn’t Mean Anonymous Forever

I spoke to Alejandro Saucedo, the Chief Scientist at The Institute for Ethical AI & Machine Learning, a UK-based research center that develops industry standards and frameworks for responsible machine learning development and asked him to weigh in on this issue:

Canadians are rightly worried. It concerns me that StatsCanada is suggesting that just discarding names and addresses would be enough to anonymize the data. Not to point out the obvious, but data re-identification is actually a big problem. There have been countless cases where anonymized datasets have been reverse engineered, let alone datasets as rich as this one. 

Re-identification is used to reverse-engineer the anonymity data state and uses alternative data sources to link information to identity. Using publicly available data, easily found in today’s BigData environment, coupled with the speed of advanced algorithms, Saucedo points to successful attempts of re-identification: reverse engineering credit card data, or when this engineer was able to create a complete NYC taxis data dump of 173 million trips and fare logs by decoding the cryptographically secure hashing function that anonymized the medallion and taxi number.

Ethical hacks are not new to banking or any company that collects and manages significant data volumes. These are intentional hacks propagated internally and intentionally by corporations against their existing infrastructure to ensure mitigation of vulnerabilities on-premise and online. This practice ensures the organization is up to par with the latest methods for encryption and security as well as current breach mechanisms. As Saucedo points out:

Even if StatsCanada didn’t get access to people’s names (e.g. requested the data previously aggregated), it concerns me that there is no mention of more advanced methods for anonymization. Differential Privacy, for example, is a technique that adds statistical noise to the entire dataset, protecting users whilst still allowing for high-level analysis. Some tech companies have been exploring different techniques to improve privacy – governments should have a much more active role in this space.

Both Apple and Uber are incorporating Differential Privacy. The goal is to mine and analyze usage patterns without compromising individual privacy. Since the behavioral patterns are more meaningful to the analysis, a “mathematical noise” is added to conceal identity. This is important as more data is collected to establish these patterns. This is not a perfect methodology but for Apple and Uber, they are making momentous strides in ensuring individual privacy is the backbone of their data collection practices

Legislation Needs to be Synchronous with Technology

GDPR is nascent. Its laws will evolve as technology surfaces other invasive harms. Government is lagging behind technology. Any legislation that does not enforce fines for significant breaches in the case of Google Plus, Facebook or Equifax will certainly ensure business and government maintain the status quo.

Challenges of communicating the new order of data ownership will continue to be an uphill battle in the foreseeable future. Systems, standards and significant investment into transforming policy and structure will take time. For Statistics Canada and the Canadian government, creating frameworks that give individuals unequivocal control of their data require education, training, and widespread awareness. Saucedo concedes,

 A lot of great thinkers are pushing for this, but for this to work we need the legal and technological infrastructure to support it. Given the conflict of interest that the private sector often may face in this area, this is something that the public sector will have to push. I do have to give huge credit to the European Union for taking the first step with GDPR – although far from perfect, it is still a step in the right direction for privacy protection.

 (Update) As of Friday, November 1, 2018, this Petition E-192 (Privacy and Data Protection) was put forward to the House of Commons calling for the revocation of this initiative. 21,000 signatures have been collected to date. Canadians interested in adding their names to this petition can do so.
Petition to the House of Commons
Whereas:
  • The government plans to allow Statistics Canada to gather transactional level personal banking information of 500,000 Canadians without their knowledge or consent;
  • Canadians’ personal financial and banking information belongs to them, not to the government;
  • Canadians have a right to privacy and to know and consent to when their financial and banking information is being accessed and for what purpose;
  • Media reports highlight that this banking information is being collected for the purposes of developing “a new institutional personal information bank”; and
  • This is a gross intrusion into Canadians’ personal and private lives.
We, the undersigned, Citizens and Residents of Canada, call upon the Government of Canada to immediately cancel this initiative which amounts of a gross invasion of privacy and ensure such requests for personal data never happen again.

This post first appeared on Forbes.

Share this:

Investment

4 ways to plan for the post-pandemic normal

When the crisis eases, we will have entered a new digital normal. Your strategies need to reflect this shift: Consider these factors as you plan for the longer term.

Avatar

Published

on

COVID-19
Share this:

This post originally appeared at Enterprisers Project.

When I sat down to write this article, a follow-on to my previous article on common leadership oversights on the path to digital transformation, the coronavirus’s threat to global business had not reached the magnitude that we feel and see today. In a few short weeks, the pandemic has forced a new virtual work reality on businesses and entire operating models have been shifted – and in many cases, upended.

A business environment that is changing so dramatically and rapidly requires speed, innovation on the fly, and the need to scale thinking beyond anything we might have previously imagined. Now is not the time to back-burner digital initiatives but to ramp them up.

Now is not the time to back-burner digital initiatives but to ramp them up.

When the crisis eases, we will have entered a new digital normal. The strategies we use to run, change, and staff the business will need to reflect this shift. Consider the following factors as you plan for the longer term:

1. The right financials

Any business that isn’t digital by now likely won’t be a business for long. Learning to embrace and adjust is imperative. Continuing – or starting – a digital transformation will be more important than ever, and you’ll need to rethink your business’ capital allocation strategies for digital initiatives and the staffing that supports them.

To figure this out, become best friends with your finance team and think for both the short- and long-term. In the current climate, it can be easy to be either too short-sighted or too far-sighted, but you need to plan for the next week, month, quarter, year, three and five years.

Become best friends with your finance team and think for both the short- and long-term.

Consider how your company may bounce back from the pandemic when stay-at-home orders are lifted, kids go back to school, and consumers begin to mobilize again: We will have entered an entirely different digital world, with new digital expectations from consumers. Is there potential for a rapid and significant surge, followed by a normalization? Will you be facing a slow rise? Digital transformation funds need to be allocated to react appropriately to these various scenarios; staffing discussions should follow based on these decisions.

2. The right tools

It is likely that at least some of your employees will remain virtual, even when the majority can get back into the office. How will you support them? You may have sacrificed some tools or technologies in your move to quickly get employees out of your building and into their homes; you may have also overpaid for the sake of quick deployment.

You’ll need to rework your strategy for the long term. This could include better or more consistent access to networks and servers, the capacity to host formal business meetings online, new portable equipment, virtual collaboration and communication software, and more.

For many, this will require working with your corporate legal team to change their thinking. Where they may have once been risk-averse for the sake of the business, they will now need to take smart risks, also for the take of the business. State your case, find common ground, and move forward.

In some particularly dire situations, you may even need to become comfortable with making decisions first and asking for permission later.

3. The right staffing

You’ll need to continue to make smart staffing decisions – quickly. You likely have three types of talent available:

  • Employees who are great at running the business
  • Employees who are hungry for more
  • New talent that may not yet exist in your business but needs to be brought in

Unfortunately, this global crisis may have created gaps in your workforce.

Identify the individuals in the first two groups and work with your talent management team to assess whether you need to advance digital investments previously planned for. Do these individuals have the right type of skills for their teams? Are they collaborative and communicative? IT cannot work in a silo, and team members need to be able to communicate what they are doing and why, and be clear on how their actions are aligned to larger goals.

When you’ve completed this review, identify the additional skills you will need for the future. This might include teams familiar with building out cloud deployments or working with microservices, etc. Push the rest of your leadership team to break through capital allocation constraints to bring in new employees who not only have the right experience but also can quickly teach your existing teams on new tools organically.

4. The right brand permission

As you work through your accelerated digital transformation, you’ll start to think about your business as a truly digital brand. In fact, you might already think so, simply because you’ve been able to get your staff up and running remotely.

But is this the perception all your stakeholders have? According to the Yale School of Management, “Brand permission defines the limits of customers’ willingness to accept a familiar brand name in new marketplace situations.” For example, you can’t simply say, “We are digital now, world!” and expect your market to immediately accept that if you haven’t been digital historically. You need to earn this right.

You can’t simply say, “We are digital now, world!” You need to earn this right.

Brand permission is something you and the rest of the company will need to work on – largely focused on delivering useful and impactful digital products and services – in order to attract the new talent you need. Start thinking about this now.

The global pandemic has thrown us into an entirely new world. Business leaders can no longer rest on their laurels and, certainly, can no longer put off or draw out a digital transformation. Making the right decisions now will help to ensure your business is positioned well when this crisis passes.

This post originally appeared at Enterprisers Project.

Share this:
Continue Reading

Technology

Five key trends shaping the application landscape

Avatar

Published

on

Share this:

According to application services/application delivery company F5 Networks, 98% of organizations depend on applications to run or support their business — hardly surprising considering that most organizations have some version of a digital transformation plan.

In their new 2020 State of Application Services Report, F5 has found that most organizations have entered the second phase of DX, defined as the integration of automated tasks, “and taking advantage of cloud-native infrastructures to scale the process with orchestration.”

As Lori MacVittie, Principal Technical Evangelist, Office of the CTO at F5 Networks explains in a blog post about the rise of cloud-native architectures, the average enterprise app portfolio is now at 15% modern, microservices-based applications. 

“That’s now more than the stalwart 11% of monolithic / mainframe-hosted applications,” she adds. “Considering reports of extreme backlogs for new applications in every industry, that modern apps have consumed such a significant percentage of the corporate portfolio is nothing short of impressive.”

Based on a global survey of nearly 2,600 senior leaders from various industries, company sizes, and roles, F5’s report outlines five key findings on the trends shaping the application landscape, “and how organizations around the world are transforming to meet the ever-changing demands of the digital economy.”

1. 80% of organizations are executing on digital transformation—with increasing emphasis on accelerating speed to market. 

As organizations work to scale their DX efforts via a digital footprint with cloud, automation, and containers, “it is time to manage the application portfolio like the business asset it is.” 

“Organizations able to harness the application (and API) data and insights generated will be rewarded with significant business value.” 

2. 87% of organizations are multi-cloud and most still struggle with security.

27% of respondents reported that they will have more than half of their applications in the cloud by the end of 2020. 

But despite the crucial importance of applications to business strategy, “organizations are much less confident in their ability to withstand an application-layer attack in the public cloud versus in an on-premises data center.”

When F5 asked how organizations decided which cloud is best for their applications, 41% responded that it was on a “case-by-case, per application” basis — an important strategy, given the uniqueness of each application and the purpose it serves for the business. 

“It is imperative to have application services that span multiple architectures and multiple infrastructures,” outlines the report, “to ensure consistent (and cost-effective) performance, security, and operability across the application portfolio.”

3. 73% of organizations are automating network operations to boost efficiency.

Process optimization is a key motivation for DX efforts, which makes it unsurprising that most organizations are automating their network operations. The goal? Consistent automation across key pipeline components: app infrastructure, app services, network, and security.

“Despite the fact that network automation continues to rise, we are still a long way from the continuous deployment model necessary for business to really take advantage of digital transformation and expand beyond optimization of processes to competitive advantage in the marketplace.”

Respondents report that the most frequent obstacles to continuous deployment are “a lack of necessary skill sets, challenges integrating toolsets across vendors and devices, and budget for new tools.” 

4. 69% of organizations are using 10 or more application services.

With the maturation and scaling of cloud-and container-native application architectures, “more organizations are deploying related app services, such as Ingress control and service discovery, both on premises and in the public cloud.”

One of the most widely deployed application services are those largely dealing with corporate and per-application security. “For the third year running, respondents told us by a wide margin (over 30 percentage points) that the worst thing they could do is deploy an app without security services,” details the report. 

5. 63% of organizations still place primary responsibility for app services with IT operations, with more than half moving to DevOps-inspired teams. 

It’s also no surprise to find that as organizations transform from single-function to modern ops-oriented team structures,” adds the report, “responsibility begins to shift from IT operations and NetOps to SecOps and DevOps.”

One reason why? The shift of application services into modern architectures. “DevOps teams are intimately involved with the CI/CD pipeline, which, for cloud- and container-native apps, includes a growing portfolio of application services such as ingress control, service mesh, service discovery, and good old-fashioned load balancing.” 

Share this:
Continue Reading

Leadership

Digitized and digital: Two sides of the digital transformation coin

Avatar

Published

on

Share this:

According to a research brief out of MIT, thriving in the digital age means undergoing two distinct transformations: Digitization, i.e. the incorporation of digital technology into core operations like accounting and invoicing, and becoming digital — “developing a digital platform for the company’s digital offerings.”

While both of these require companies to embrace emerging technologies, these present two distinct challenges, each with a differing set of rules and strategies. As explained by Sara Brown from the MIT Sloan School of Management, “Becoming digitized relies on traditional business methods. Becoming digital requires breaking old rules and embracing new thinking.” 

Digitization relies on the company’s operational backbone, which supports core operations — i.e. how a company delivers goods and services, maintains its books of record, and completes essential back office processes, explains the research brief. Traditionally, base technologies for these were ERPs, CRMs, and core banking engines. Today, though, it’s likely software-as-a-service (SaaS).

At the same time, becoming digital means creating a digital platform — “a foundation for a company’s digital offerings and their rapid innovation.” Creating speed and innovation, “this platform, a combination of different software components that can link with partners and connect with customers, enables a company to quickly develop and add new digital offerings, and targets revenue growth,” explains Brown.

When it comes to managing both sides of this digital coin, decision-makers must manage leadership, operational, and cultural differences, Brown says:

Leadership: For digitization, leadership is firmly in place, making clear decisions, outlining processes and standards, and ensuring adoption success. 

For a digital platform, however, top-down decision making stands in the way of success. Trusted teams are in the driver’s seat, innovating and implementing new ideas. It’s up to management to define an overall digital vision.

Operational: “Changes to the operational backbone can be planned and evaluated using traditional methods like metrics and customer satisfaction,” writes Brown. On the digital platform side, these methods only result in frustration.

Cultural: Digitization isn’t changing the fundamental place of the operational backbone, MIT’s research found. A digital platform, however, “means radical changes in how decisions are made and work gets done. This can be uncomfortable for people at every level.”

Image via the MIT Center for Information Systems Research

When it comes to actually managing these two different teams, MIT researchers suggest these three actions:

Keep ‘em separated: Simultaneous management of digitization and digital means clearly distinguishing their separate responsibilities, says the research brief. Examples of companies that have taken this approach include Schneider Electric, Royal Philips, and Toyota. In another example, one organization’s operational backbone was managed by the CIO, with a Chief Digital Officer taking the lead on the digital platform.

Funding should also be separate. As the researchers outline, “People responsible for digitization can better pursue operational excellence when the operational backbone receives consistent investment, year after year, at the enterprise level.” Meanwhile, funding for short-term digital innovation “experiments” can be easily upped or decreased, depending on outcomes.

It’s important, however, to keep the overall shared vision in mind, explains tech specialist and Tech Wire Asia editor Soumik Roy, for TechHQ. Leaders might feel that separate teams are a waste of resources, he writes, “because ultimately, the business needs its digital initiatives to converge — like its data, analytics, and platforms.” But in reality, separate teams can optimize DX efforts, but only if a shared vision of the organization’s future is kept top of mind: “Each team, working on their own side of improvements, can make contributions that help move closer to the end state. In practice, this is often more productive as well.”

Rule breaking: Inherent in digital innovation is breaking old rules and making new ones, the researchers found — from subverting budgets processes to guarantee resources to bypass CRM approaches, among other challenges. 

Rule breaking ends up being manageable because it’s relatively contained to a small team that’s experimenting, though it’s crucial digital teams have sign-off and ongoing support from senior leadership. 

New leadership: “Not all people who have successfully led traditional businesses are well-suited to digital business leadership,” says the brief. “The idea of breaking rules to identify what works may feel terribly unnerving for some— even when they have been encouraged to experiment.”  

If someone in a leadership position isn’t comfortable with creating new rules, they explain, coaching could be implemented to help guide them in the right direction. Alternatively, there is likely plenty of new talent that is ready to implement a shift.

Share this:
Continue Reading

Featured