Privacy and Duty

The last few months have been a tough time for internet security.

Recently, we’ve learned that a major computer manufacturer was found last week to be shipping laptops with malware and fake root certificates, compromising the secure communications of their customers.

We learned that hackers stole hundreds of millions of dollars from Russian banks.
And we learned that intelligence agencies may have hacked into a major SIM card manufacturer, putting the privacy of millions of people at risk.
Those of us in the IT world have a duty to respond to these incidents.
And I use the word duty very intentionally.  Most system administrators have, by nature of their work, a moral, ethical, contractual and legal obligation to protect client and company data.

For example, if they work for a law firm, then the Canadian Bar Association Code of Professional Conduct includes this section:

Maintaining Information in Confidence
1. The lawyer has a duty to hold in strict confidence all information concerning the business and affairs of the client acquired in the course of the professional relationship, and shall not divulge any such information except as expressly or impliedly authorized by the client, required by law or otherwise required by this Code.

 

To ‘hold information in strict confidence’, must apply every bit as much to electronic records and communications as any other type of information.

If you work for a company with a presence in Europe, you are bound by EU data legislation, which includes:

“Everyone has the right to the protection of personal data.”
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.

 

In my career, I’ve often found myself working with health care data, and thus come under the jurisdiction of Ontario’s Personal Health Information Protection Act, which among other things states:

12.  (1)  A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

And anyone working in the financial industry is likely to find themselves subject to a Code of Ethics such as this one from TD bank:
A. Protecting Customer Information
Customer information must be kept private and confidential.”
C. Protecting TD Information We must carefully protect the confidential and proprietary information to which we have access, and not disclose it to anyone outside of TD or use it without proper authorization, and then only for the proper performance of our duties. “

Nothing to Hide?

Occasionally, I’ve heard the suggestion that ‘those with nothing to fear have nothing to hide.’
In the light of these duties and obligations, this claim is, of course, absurd.  Not only do we in the IT industry have access and responsibility to large amounts of confidential information, we have a moral, ethical, contractual and legal obligation to keep it secure – to ‘hide’ it.
Because we can’t divine intent when our systems come under attack.  Whether it’s a criminal gang, a careless vendor, or a foreign intelligence agency, the attack vectors are the same, and our response must be the same: robustly and diligently protecting the systems and data that have been placed in our care.

A Rough Week for Security

2014 was a tough year for anyone responsible for systems security.  Heartbleed was uncovered in April, which led to some seriously panicky moments as we realised that some secure webservers had been accidentally leaking private information.  And then again later in the year we discovered the Shellshock vulnerability in many Unix systems, leading to yet more sleepless nights as I and countless other systems administrators rushed to patch our systems.

trevor_neoI did find a couple of silver linings in these events, though. Firstly, both of the vulnerabilities, although severe, were the result of genuine mistakes on the part of well meaning, under-resourced developers, who didn’t anticipate the consequences of some of their design decisions.  And secondly, I was intensely proud of how quickly the open source community rallied to provide diagnostic tools, patches, tests, and guides.  With a speed and efficiency that I’ve never seen in a large company, a bunch of unpaid volunteers provided the tools we needed to dig ourselves out of the mess.

2015, however, is so far going worse.  This week’s security flaws, specifically the ‘Superfish’ scandal (in which Lenovo deliberately sold laptops with a compromised root certificate purely so that third party software could inject ads into supposedly secure websites, and thus exposing millions of users to potential man-in-the-middle attacks), and the now-brewing ‘Privdog’ scandal (trust me, you’ll hear about this soon if you follow security blogs…), are the direct result of vendors choosing to violate the trust of consumers in the interests of chasing tiny increases in their profit margins.

I’m processing a number of emotions as I get up to speed on the implications of these security flaws.  Firstly, frustration – any new security weakness causes more work for me as I test our systems, evaluate our vulnerabilities, apply necessary patches, and communicate with clients and colleagues.

Secondly, anger.  I’m angry that vendors do not feel that they are bound by any particular obligation to provide their clients with the most secure systems possible, and that in both these cases they have deliberately violated protocols that have been developed over many years specifically to protect personal data from hackers, thieves, spies, corporate espionage, and other malicious actors.  I don’t know whether their underlying motivation was greed, malice, or simply stupidity, but whatever the cause, I’m deeply, deeply disappointed.  Not just with the companies, but with the specific individuals who chose to create flawed certificates, who chose to install them, who chose to bypass the very systems that we trust to keep us safe, and who chose to lie to consumers about it; telling them that this was ‘value added’ software, designed to ‘enhance their browsing experience’.

Thirdly, though, I’m grateful.  We wouldn’t have even known about these flaws without the stirling work of security researchers such as Filippo Valsorda.   Watching his twitter stream as the Superfish scandal unfolded was a surreal experience.  As far as I can tell, the man neither eats nor sleeps, he just effortlessly creates software, documentation, vulnerability testing code, and informative tweets, with a speed that leaves me not so much envious as awestruck.

And finally, I’m left with a sense of determination.  The whole world is connected now, and the Internet is every bit as critical to our global infrastructure as roads, shipping lanes, corporations, and governments. And it is a vital shared resource.  If it is to continue to flourish, continue to allow us to communicate, learn, conduct business, share and collaborate, then it must remain a robust, trustable system.  And although we have been sadly let down this week by systems vendors, the Internet is bigger than any one company.  And our collective need and motivation for it to be a trustable system is greater than the shortsighted greed of any number of individuals.

So I’ll go back to work tomorrow, and I’ll do my best to keep my client’s data secure, their systems running, their information flowing, and I’ll do so grateful for all the work of millions of other hard working developers, systems administrators, hardware designers, and other assorted geeks.

 

Here’s to the crazy ones.

50c7815ca5987_Ancalagon_HobbitInternationalOnesheet_thumb

Sound and Fury, Signifying Not as Much as it Could

Just watched The Hobbit/Battle of Five armies, and have fairly mixed feelings. On the one hand it’s a stunning technical and visual achievement, and a number of actors put on excellent performances, but on the other it’s let down by what I feel sure is a flawed screenplay.

I can’t yet put my finger exactly on what I find weak, but part of it is that the story doesn’t know what it’s trying to achieve. Tolkien, I believe, always wanted to explore the boundaries between the known and the safe on one hand, and the unknown, wild, and dangerous on the other. From the very earliest stories he wrote – I guess Tuor and His Coming to Gondolin and Earendil the Mariner, he wrote stories about ordinary characters encountering the extraordinary.

To a certain extent Jackson achieves this – Freeman plays an excellent Bilbo, thrust into a tale of dragons and elves and orcs, and yet in this, the third of an overly-stretched trilogy, Jackson seems to lose his way. It feels as if he’s trying to cram in every last CGI technique that he has left to him before he leaves the world of Middle Earth forever, and so rather than narrative arc or character development we’re presented with a never ending series of over-the-top battles. Bats swarm in the sky, man-bears jump from eagles, Elves defy the laws of physics, every warrior throws himself at his foe with no sense of self protection, huge set piece battles are frequently interrupted with individual interactions, while one assumes the armies in the background simply take a breather and wait for the main action to be resumed.

Bard alternates between acting as an excellent general and abandoning his post to chase down his children. We’re warned in dire tones of a ‘second army’ emerging from Gundabad, but they never really seem to show up.

Frankly, the whole thing leaves me longing for the Peter Jackson who created The Fellowship of the Ring. That movie also had its share of spectacle – Gandalf’s battle with the Balrog, and the battle of Dagorlad in the introduction, for example, but the characters and the source material were treated with more respect.

Perhaps the fundamental difference is this. In Fellowship, the spectacle served the narrative, but in Five Armies, the spectacle, the CGI, the endless fights, became an end in itself. In an era when computers allow us to portray pretty much anything we can dream up, the question for any movie maker becomes not what can we do, but what should we do?

Or to put it more simply – just because you can, doesn’t mean you should. I’m left at the end of the movie hugely impressed with New Line Cinema’s props, casting, sound recording, scoring and visual effects, but uncertain as to what story they were actually trying to tell.

slack

Cut Me Some Slack

This weekend I’ve been learning all over again what it means to be a complete beginner at something.  You see, I went out and bought a slackline.  If you’re ever wondering exactly what it must feel like to be a young toddler learning to walk for the very first time, then I can’t recommend this sport highly enough.

There’s something wonderfully refreshing about tackling an activity you’ve never tried before.  Every little achievement feels like a major triumph.  To be able to stand on the line for a few seconds feels amazing; to manage to take a step or two before falling off can lead to wild applause from the bystanders.  And it’s also very egalitarian; the 10 year old in our party was making progress every bit as fast as me.

It got me thinking about the nature of fitness.  I often hear people say that they ‘want to be fit’, without ever really unpacking what that means. At it’s most fundamental, fitness refers to the body’s ability to perform a task.  And I realise that I can be exceptionally fit in one area and completely unfit in another.  For example, the months and months of training that I put in in order to be able to run an ultramarathon did absolutely nothing to prepare me to walk across a two-inch wide strip of webbing strung between a couple of trees.   Nor does it improve my ability to, say, perform push ups or hit a golf ball.

So the concept of fitness obviously encompasses a number of physical abilities.  I think they could be broken down as follows:

  • Endurance.  The ability to perform a repetitive action without becoming fatigued.  My marathon-running friends like Patrick have this in spades.
  • Strength.  The ability to apply force to an object.  Typically, we runners don’t do so well on this.  Ask me to do bench-presses or pull-ups, and I’ll tire out pretty fast.
  • Flexibility.  To be able to move limbs through a wide range safely.  Again, running doesn’t really do much to improve this.  My Yoga poses leave a lot to be desired.
  • Balance.  The ability to control your center of gravity on an unstable surface.  As the slackline is teaching me, I may be able to get myself around a triathlon course, but taking two or three simple steps can be a daunting task when the surface you’re on is swaying, bobbing, and responding to your every move.
  • Technique.  The ability to perform an action correctly and efficiently.  Every sport requires a commitment to learning correct body mechanics.  If you run incorrectly, you will hurt yourself.  It’s as simple as that.  If you learn to swim correctly, you will glide through the water nearly effortlessly, and still outpace those around you who are spending far more effort than you are.

There are probably more that I haven’t thought of.  I’m sure that diet fits in here somehow as well.  If I can perform well athletically but I’m not giving my body the food it needs to recover quickly and maintain health for the long term, then I’m not sure that I can claim to be truly fit.   So perhaps the final element of fitness is humility, the ability to adopt a lifestyle of continuous learning.

Today I got another taste of that on the slackline.  Tomorrow, who knows, I may stay on it for a few seconds more!

globe3t

Global Civics

Our world has changed dramatically.  The way we engage with each other must change too.

We are in the middle of one of the biggest social changes in all of human history; comparable to the dawn of agriculture.

For the first million years or so of human history, before the Neolithic revolution, we lived in small tribes of hunter-gatherers.  We had no large-scale social organization or institutions.    Everyone in the tribe knew everyone else – what their character was like, how much they contributed to the overall good of the community, who they were friends with, what they thought.

After the Neolithic revolution, everything changed.  Farming, probably the most important technological discovery ever, had a huge impact on the structure of human societies.  Agriculture led to a vastly higher population density, to fixed settlements, to division of labour, and to cities.

All of a sudden, we were living in groups bigger than we could keep track of.  No longer did we know personally all the people around us.  And so to manage this drastic psycho-social shift, we created new institutions and structures.

We created money to track the contributions of individuals to the shared economy.

We created laws to formalize what was acceptable behaviour in these new mega-communities.

We created courts, royal dynasties, and parliaments to organize these large groups of people.

And even our religious beliefs and systems changed.  Tribal shamans were replaced with formal priesthoods, with far-reaching social and political influence.

Eventually city-states grew into nation-states, and as they did so many people gave thought to what it meant to be a citizen.  Over time we developed the idea of a Social Contract, an agreement between the individual and the state.  The state provides stability, protection and  regulation, and the individual provides contributions of labour and  obedience to the laws and cultural norms of their country.

“civis romanus sum”

We may not talk about it much these days, but for centuries the exact relationship between the individual and the state has been a major topic of discussion.  The Latin word civis, or ‘citizen’ is the root of our words civil, civilized, civility, and so on.  A civil individual is one who understands his role and obligations towards a broader society.

Today, we live not just in connection with our local tribes, or our city, but with the whole world.  Each of us, daily, affects and is affected by people from around the planet.  This article can be read just as easily in Auckland as in Barrie.  The computer I’m writing it on was assembled in China.  In the news and in social media we can follow real-time updates from the sporting rivalry of the World Cup in Brazil or the horrific religious and ethnic violence in Iraq.

And so I believe we need a new, global, civics.  We need to be asking, and answering, these questions:

  • What does it mean to be a global citizen?
  • What are my responsibilities towards my co-inhabitants of this planet?
  • How do my economic and political choices affect those on the other side of the globe?
  • What positive, constructive steps can I take towards a healthier, more peaceful, more prosperous, more equitable global society?

Sometimes this world can be a depressing place.  When I read about the destruction of global ecosystems, the continued existence of concentration camps 60 years after the liberation of Bergen-Belsen, or our failure to bring war criminals to justice, I can get despondent.  But I’m not the first to feel this way.  The prophet Jeremiah experienced his country being invaded, his culture nearly destroyed, and  his fellow countrymen forcibly relocated.  He would have had every right to hate the system he found himself under.

But instead, he chose hope.  Seek the peace and prosperity of the city you’ve been exiled to,” he told the survivors.  And I hope today that we can learn how to seek the peace and prosperity of the entire planet. In our purchase decisions, in our politics, even in our Twitter conversations, perhaps we can pioneer a truly civil way of interacting with each other.

photo

Constructing Gender

I’ve been thinking a lot about gender recently.  In part this has been sparked by reading Margaret Farley’s excellent book Just Love.  Her work has  helped me realize two things.

  1. Gender permeates our thinking and speaking.
  2. Gender is harder to define than you might think.

We are forever talking about gender, and the differences between the sexes.

Books like “Men are from Mars…” become bestsellers.

Movies are categorized into ‘chick flicks’ and guy flicks.

Language itself is frequently gender specific.  In French, and in many other languages, objects are considered to be masculine or feminine, and referred to differently in each case.

Religions talk about gender a lot.  Many religions have codes outlining acceptable behaviour for men and women, and for the relationships between the two.  Even today, the Catholic church teaches that not only are women not permitted to be priests, they are not able to be – it is a kind of category error.  In the muslim world, there are strict rules regarding the participation of men and women in communal worship.

Gender-based violence is still a  huge problem in our society.  Perhaps 1 in 4 women in Canada have experienced some kind of sexual assault.

And yet despite this preoccupation with gender, I’m finding that it’s harder than you might think to define what we mean by the term.

When we talk about gender, when we talk about masculine and feminine, what exactly do we mean?

Maybe we mean the behavioural traits that are associated with one gender or another.   But what do we do if these vary from culture to culture?

Maybe we mean the physical characteristics that are associated with a gender.  But again, what if these overlap?  Men are said to be stronger athletes than women, but this is only true in the aggregate.  I will never run a triathlon as fast as Chrissie Wellington, however hard I train.

Perhaps we mean the social roles that men and women are expected to fill.  Nearly every society on earth divides task by gender, but interestingly they don’t always agree which tasks should be performed by which gender.

Perhaps when we’re talking about gender we’re simply talking about biology – the presence or absence of specific reproductive organs.  Although interestingly enough, these only start developing after a couple of months gestation, in response to certain genetic triggers.

So perhaps gender is all to do with genetics and chromosomes.  Fair enough, but even this runs into trouble when we start learning about the complex ways that humans and other animals determine gender.  Humans use X and Y chromosomes, other animals use Z, W, O chromosomes, or even environmental triggers such as temperature, to determine the gender of an infant.  Still other animals change gender during their lifetimes.   And even in humans, there are combinations of chromosomes and genes that lead to indeterminate gender.

So we’re left with this strange state of affairs – words that we all use, that we all assume have a common, shared meaning, and yet on closer inspection may hide some very complex realities.

I mean to consider the implications of these complexities in subsequent articles.

Trillium_ovatum_ssp_ovatum_2

The Worst Form of Government

“Democracy is the worst form of government, except for all those other forms that have been tried from time to time”

Winston Churchill

Tomorrow we go to the polls.  As of right now, I’m still undecided as to who I will vote for.  But I do know a few things for sure.

I’m glad that I live in Ontario.  Yesterday, up to 500,000 people were forced to flee Mosul in the wake of sectarian attacks.   Here, our political candidates have been trading verbal barbs.

In China, the government has been engaged in a massive exercise to remove all mention of the Tiananmen Square massacre from online discussion.  Here, I’ve been able to engage in email and Twitter conversations with several party candidates, and express my political frustrations quite freely on Facebook and on my blog.

In Syria, a civil war has been ongoing for the past three years, destroying homes, infrastructure, lives, and hope.  Hear, we experience one of the highest standards of living in the world, excellent healthcare, opportunities for social mobility, vast natural resources, and a peaceful society.

On Friday, we will have a new Provincial government.  Some people will be happy.  Others will be deeply disappointed.   The new government will, certainly, get some things wrong.  They will mismanage funds, there will be political scandals, taxes will not be as low as we might like, and there will not be the funding for every social programming that we think is deserving.

But despite all that, we will still have a functional, representative, democratically elected government.  My MPP will still be someone who lives in my city, who walks the same streets as I do, who I can actually reach out and speak to.  We will still have functioning schools, hospitals, roads, emergency services, and provincial parks.

We have these things because countless ordinary Canadians worked tirelessly for generations to build these institutions.  I’m glad for all the people from every party who think that the future of Ontario is worth fighting for, and who have engaged in this round of political discussion.  And regardless of who ‘wins’ tomorrow, I hope that every Ontarian wins, and gets a government that will continue to work for the best interests of the entire province.

IMG_20140610_211211

A Letter in the Mail

After having spent days complaining about the lack of engagement in genuine conversation from our politicians, I feel duty bound to celebrate when one of them talks to me. Rod Jackson, our PC candidate and the current MPP for Barrie, responding to my tweets with an invitation to discuss things further via email; and then sent me a page-long message with specific responses to each issue I raised with him.  Frankly, I’m impressed.  For him (or even for one of his staff) to take the time to engage directly with a single voter in the week before the campaign is a good indication of politician who actually takes his role as a representative seriously.

I certainly don’t see eye-to-eye with his party on every issue, but as I’ve said before, I deeply believe that we should be sending people with competence and integrity to Queen’s Park.  The ability to run an efficient campaign is actually a pretty good test of the former.  I’ve yet to formulate a satisfactory test for the latter, unfortunately – I suspect it requires taking a lot of time to actually get to know our candidates as people.


There’s been a lot of talk this year about ‘declining your vote.’  This is pretty much the only option that voters have for expressing their dissatisfaction with the available candidates in a way that actually gets counted.  Whether anything is done with that count is open to debate.  It’s certainly better than not voting at all, and probably worse than voting for a third-party candidate.  But either way, I’d much rather say ‘this is the person I want to represent me’ than ‘what can I do to stop that person from representing me.’ In an ideal world, as a voter I’d feel like an HR manager at a successful, popular candidate, interviewing a number of talented, qualified candidates, and having to pick the one who would be the absolute best fit.    Part of the problem is that a vote only records a tiny amount of information – a single check in a single box.  If there are 4 candidates in the riding, that information could be encoded in 2 bits.

  • Candidate A: 00
    Candidate B: 01
  • Candidate C: 10
  • Candidate D: 11

Which can only go so far in capturing the hopes, fears, aspirations and concerns of the average voter.  This is why we need to be engaged politically beyond simply voting.  We actually need to do the work of democracy – reading upcoming bills, understanding the mechanisms of government, writing to our representatives, learning about the issues facing our city, our province, and our world.

We could also start encoding more information in the ballot.  A Single Transferrable Vote system would go some way towards doing that.

11250009

Swingtown

According to threehundredeight.com,  Barrie is poised on a knife edge for the upcoming provincial election.  The leading candidate is predicted to get 39.2% of the vote, the next candidate, 39.1%.  In other words, we’re the tightest race in Ontario.  For once, I’m genuinely living in a swing riding.

In 2011 the election was decided here by 2,500 votes.  I suspect this time round it will be much closer.  My vote, and the votes of my fellow residences,  may actually make a significant difference to the local and provincial political scene this year.

But despite it being such a tight race, so far none of the candidates feel like engaging with me on Twitter.  Maybe I should just vote for the first one who replies to me; on the principal that at least it indicates that they understand something about technology; and as a software architect I might want to be represented by somebody who understands my field?

Or maybe not.  I still feel that it’s important to select candidates based on their qualifications, competence and integrity.  Less so on their promises;  I think of electoral promises and manifestoes as interesting works of fiction.  Candidates love to promise more jobs and  economic growth, but I suspect that government has far less power over these matters than most MPs would be willing to admit.  Politicians are quick to claim responsibility for improved unemployment numbers, or an uptick in GDP; but the same politicians in times of recession will be quick to point out that the poor economic news is due to factors beyond their control: inflation, foreign exchange, trade deficits, climate.

The problem is: economics is an inexact science.  It’s very good at providing a narrative explanation for why things happened in the past; it’s far less good at producing predictive power for the future.   Before becoming he Prime Minister of the United Kingdom, Gordon Brown famously promised to bring an end to the cycle of “boom and bust.”  He then presided over the biggest financial crisis in three generations.

So I’m cautious of politician’s promises to increase jobs or reduce debt.  because their ability to affect these matters is probably less than they think.   But I do care about how they will handle the responsibilities that they have been entrusted with.  And I believe that the best way to predict future performance is to look at past performance.  A wise man once said, ” Whoever can be trusted with very little can also be trusted with a lot. Whoever is dishonest with very little is dishonest with a lot.”

So when you come to make your choice, ask yourself – ‘what has this candidate done in the past?  How well have they acquitted themselves of the responsibilities they’ve been given? ‘

And if you can’t come up with good answers for those questions, vote for somebody else.