18 Dec 2012

About Instagram

Author: will | Filed under: creativity, data, data retention, identity theft, kerfulle, photo

If you are going to sell my pictures without me getting a cut and not call it piracy… Bye.

I was glad to see Alannah re-started blogging, but to took me seconds to realise that it wasn’t her; she wouldn’t blog about premiership football. Now that the New Year is comfortable over, I have a resolution I’d like you to consider; update your blog at least once this year, even if its just to say “I’m closing this down”.

And now, the long-winded meat of this post.

I am subscribed to over 900 blogs in Google reader. That is a seriously silly amount of information flowing in to my brain. Or at least it would be if they were 900 actively updated blogs.The sad truth is that for a lot of reasons, blogs die. Sometimes its because life gets in the way of a keyboard. Sometimes its because a death stops typing. Sometimes its because the blog was tied to a company position and the blogger has moved to keyboards new.

A silent blog gathers no feed. Or rather, its feed sits in silence. Polls are ignored and it takes up very little attention.

But recently three things happened which makes me question that.

First was the apparent hacking of Tom Raftery’s blog feed. Or rather the feed in Google reader. It appeared as if his blog’s output was replaced by a very spammy list of products. A few hundred a day. I confirmed that he knew about it, but I didn’t want the firehose of, well, DVDs in stock so I un-subscribed while he was trying to figure out its source.

I’m not too sure if the problem was at his servers now, but let me go on.

The next feed to suddenly spring to life was the life of the knitter Alannah of “Over a Cup of Tea”. But her feed was full of the minutia of the UK Premiership Football League. This wasn’t a spam stream of products, it was a stream of valuable (to the fantasy football players I know) information. It was tied to a site called “Over a Cup of Tea”, but that wasn’t the girl I was following. So I unsubscribed.

Then, since many things happen in threes, a third blog sprung to life. This time the technology blog “Its a Feature, not a bug” was replaced by details of a Japanese dance school.Yet another dead blog sprung to life in someone else’s hands, or in this case, shoes.

So what happened.

I have two possible answers, and both lie in Google Reader feeds.

Sometimes Google creates a feed for the blog, this usually turns up if I try to share a link from my phone. The format is something like feedproxy.google.com/~r/nameofblogwithoutspaces followed by a id string for the page. However, some names occur more often than others. If you don’t blog for a while, I suspect that the name get re-cycled to another blog of the same name.

The other possibility is that, while I wasn’t looking, the blog shut down. The domain expired and was reassigned, and a new blog started up in its place. Google then saw “nameofblog.com” with a new feed and assumed that it was a continuation of the previous one, and reassigned it the old feeds it had in place.

Either of them is interesting. Just think, how often do blogs and domain expire? And if a once popular blog goes dark, and then off, if you get that old name or domain, would you suddenly find yourself with an automatic audience (and they aren’t interested).

Personally, I don’t clear out old silent feeds because, since they are silent, they don’t show up. It would take me quite a while before I noticed that someone was silent, unless their quarterly blog posts always began with “must blog more”.

Which is something I need to do more of.

take care… with the feeding of you blog,

Dear Ms. Marianne Mikko Member of the European Parliment,

I’ve been reading reports that you have called for a registration of bloggers.

Given the importance of the Internet in Estonia, I suspect that you would get a lot of, er, assistance in answering an explanation of what you mean.
Or at least a high level of details on what you are actually requesting.

Most blog posts are highly personal by nature, be it personal observation, on the ground reporting of a war in their local neighbourhood, on the antics of their cat (depressing there are a lot of these) or the rote by which a blogger investigated the dealings of a disgraced public official.
They are closer to opinion pieces than investigative reporting.

There are also blogs which by their very nature need to be anonymous. Those detailing illegal activities by officials for instance. A registration of such a blogger is likely to lead to intimidation or death.

Do you wish to clarify your wording.
Say in a blog of your own for instance?

Yours sincerely,
Will Knott


Zemanta Pixie

“Was given chocolate. That’s a far better freebie than bloomin’ memory sticks!” — Jemima Kiss via Twitter.

College Green, DublinImage via Wikipedia

By now everyone has heard the old story about people giving up their passwords for chocolate. Although Bruce Schneier has pointed out that he would gladly give a fake password for chocolate. Which is a little better than loosing a lot of information about your customers. Yes I’m typing about Bank Of Ireland.

This is an interesting problem for the Bank. In 2006 Bank Of Ireland agreed to refund phishing losses suffered by customers of their internet banking service. And later updated their terms of service to include

13 Indemnity

13.2 Without prejudice to the generality of Clause 13.1 above, the Bank shall have no liability whatsoever in respect of any loss suffered by the Customer as a result of their breach of Clause 4 [jm: Security/Authentication] by way of knowingly, negligently or recklessly disclosing the Security Devices or any of them.

— via Justin Mason.

Richard Burrows, Governor of the Bank of Ireland, has declared on a news report that

  1. monies lost will be refunded and that
  2. the laptops were secured with a password.

However I reply

  1. What hoops do victims of this loss have to jump through? After all some of the stolen information was not from BOI customers, but also those who had approached the bank for a life assurance quote. Besides, the usual procedure is to create a new account somewhere or getting credit cards in their identity, not touching the victims bank accounts directly, but ruining their credit rating in the process.
  2. This concerns data not the laptops. Its possible that the OS requires a password to be provided, however it is quite easy to remove a hard disk and attach it to a separate machine. Completely by-passing any password requirements of the OS. Either encrypting the customer data on the disk (as happened in the IBTS incident) or making the entire disk an encrypted file. The data was unencrypted.

The information on the four BOI laptops contained the names, addresses, financial details and some medial records of its life assurance customers. Gosh that is a goldmine of information for identity thieves, phishing operators and even the odd blackmailer (if the medical information reveals things). I’ve written about this before, and I don’t think things have gotten any better.

And it happened some time ago.

Bank of Ireland said the four laptops disappeared between June and October 2007 and contained the names, addresses, bank account details and medical histories of about 10,000 holders of the bank’s life insurance policies. Ireland’s second-largest bank made the admission after the chief regulator, Data Protection Commissioner Billy Hawkes, told Irish broadcasters RTE he had been informed of the lost customers’ data only last Friday.

via IHT

It’s the silence that is slightly worrying. The Irish Banking Federation hasn’t said anything. True that these were probably €900 laptops. But the information on them do open up the bank for potentially billions of damages; not that, given the statement by the Data Protection Commissioner, such punishment is likely to happen.

Now I’m hearing rumours that the banks are now encrypting customer data, but do you trust a bank with your data that can’t even link correctly to the page with the information about the incident on their own site? Hopefully someone will notice that correct things sooner than they noticed that the missing customer data might be important.

take care of your data,

UPDATE – April 28 2008
Number affected by BoI laptop thefts trebles – “The technical investigation has identified that details relating to 31,500 policies, policy applications and a small number of mortgage customers were contained on the stolen laptops.” So the numbers are worse that previously announced, and the fact that not all of those at risk are customers of the BOI. If the Data Commissioner can’t deliver punishment via a 4×2 then his remit should be altered.

I have the nasty feeling that I have more questions than answers but here goes…

The old days

Before technology, life in the office was simple. You have documents, and you filed them away. They were big, bulky and paper based (once stone, velum and papyrus had their days). Sometimes documents got lost (down the back of the filing cabinet), sometimes documents were destroyed (blessed be the shredder despite projects to restore shredded documents using software). Rarely did physical documents end up in the hands of the wrong person (but it happened). The came easy duplication. And then came electronic records.

Electronic records, or data to give it an even more generic name, are everywhere. Data can be automatically collected and stored. When I first raised “data loss” I simply assumed I would stay on simple technical grounds such “hard disk crash” or indeed loosing the financial data of 25 million people in the post. Some of the issues are technical, some and legal, but all are social.

Never enough

Disk drives get larger to cope with the torrent of data. Much in the same way that “you can never be too rich” it’s true that “you can never have too much disk space”. However… As data volume grows, our ability to weed out the what from the chaff declines. It’s easy to say ‘never throw out anything, in case it’s needed’. It also lets you avoid the boring (and possibly compromising) task of deleting data you don’t need. However, then your operational budget bloats – it costs as much to look after useless data as expensive data. If it goes on long enough, you can’t do anything about it; it’s possible you won’t never remember what most of it is.

This is where one part of the legal framework stands. If you are, say, automatically collecting all the web sites that a certain IP address connects to, how long should you hang on to it? How long is it legally useful for? And worth keeping for? ( Digital Right Ireland have a few things to say on this.) There is also a technical problem… If an Internet access node is unsecured, is the owner of the node liable for something posted using it? At the moment, yes, but that is because it hasn’t been tested in an Irish Court

Sealed with a click

Another part of this is content. Google have an archive of a precursor to the web, called Usenet on archive. This is data. Public data? Well everything was considered public a the time. So this archive is publicly available.

But what about you diary? Not your blog, but your diary. Currently you have automatic copyright protection on everything you write. The contents of your diary become public domain 75 years after your death. Does the same apply to your e-mail? Private musings are supposed to become public domain after a time. If you turn out to be a famous person (at the time of your death) someone will hang on to every scrap of paper in the hopes that it will be worth something.
However every e-mail you write is technically protected under copyright, and replying or worse, forwarding an e-mail is technically in breach of a dozen copyright laws. When should your e-mail become public domain? If that data is on your hard drive, there is some hope that it will be forgotten about, but as a Microsoft anti-trust cases showed, e-mail has a habit of copying itself in other places than your drive. After all, there are the recipients, and all the server between (and a few that shouldn’t have gotten it in the first place).
When should this mail become public domain? 75 years after your and every contributor’s death? Something like that is impractical. 100 years after the message is sent? 50 years? And what if the message contains still confidential information (like the secret recipe for Snickerdoodles & Chocodoodles)?

Silly idea? Old medical records do go “public”, but these are usually stored in archives of interest to few (usually medical students and researchers who would be qualified to have access to the information in the first place).
“Would it be morally right to give public access to email & messaging accounts 100 years after they were last accessed ? How interested would the historians of the future be in a copy of bebo.com from 2005 ? Or the contents of the mailbox of a famous serial killer 50 years after they died ? I don’t think we have the option of letting that sort of data lapse. It will be the clearest echo of society’s global digital consciousness.”

This is the first time that the general public have had their personal messages (not just) information stored. Should I be retailed for your grandchildren (but hidden from your prospective employer)? When should an e-mail be considered an orphaned work?

Backing away

Along with the problem of how long data should be retained, lets look at the actual retention problem. If you ‘never throw out anything, in case it’s needed’, you have an increased storage problem. I hear the call of “backups”?

“As data volumes grow, you either have to put all your eggs in one basket, or have multiple baskets. From experience, it’s so tempting to try consolidate your data in one place, to reduce admin overhead. Hopefully that one system won’t have a buggy motherboard that’s silently corrupting everything it writes. And it’s really painful if someone accidentally deletes a few petabytes of data – copying from backups takes ages, for a start.”
Or “bugs in archival software (“Yup, that’s archived. Oh, wait. No..it isn’t. The machine had a bad disk, software crashed, and reported ‘everything OK’ when it restarted…”) and freaky network instability (guys doing rewiring, restarting cluster routers and maybe some dodgy cables) resulting in more than one machine reporting as being the ‘one true repository’ for a certain type of data.”

So the backups might be a problem….

But let’s assume that the backups are valid. Then you have 2 format problems.
We don’t have the hardware which can read the tapes anymore.
This actually happened to me professionally. I remembered when the archives were made, and indeed the data was found. Documented in place A where where the off-site storage utility had the backups. However, the tape drives had been scrapped years before.
And those of you that remember the Domesday project know tha the BBC fell in to a similar problem.

But let’s assume that the anarchic backup archive tape could get it’s contents loaded on to a system you can use… can you read the data format?

Earlier this year, Microsoft released a service pack which purposefully disabled older file formats. So your carefully restored data might be unreadable to the world, and worse, yourself. In a business case, the original specifications (or recipe) might be needed. Or your great grandfather’s proposal on an on-line forum to the woman you’ve come to know as your great grand aunt.

Is there a “fix” for this? Well making the older formats fall in to the public domain would help. After all, if you’re not using them…

So who deserves the credit, and who deserves the blame

So the disk has crashed, who do you sue? It should be simple, but it ain’t. Much like a delayed or canceled air flight is not the cause of refunds if the cause of the problem is beyond the control of the airline, there are ways a disk can go. Legally.

Usually a hard disk will crash in infancy (within a day or two of starting life), meaning little if anything has been lost and it’s under warranty of the manufacturer. Or the disk will die was it approaches the end of it’s predicted life (well after warranty). The fact that the computer is usually obsolete long before you take it out of the box isn’t something to be considered.

And while I’m sure that back-up software and hardware has warranties, the legal click through probably covers some lost data. But since the cost a new hard disk is usually less than the lost of the backup measures… home backing up is rare.

In a corporate setting, the party that looses the data should be held liable, but I don’t know of any cases in Irish law on data crashes. Data gong missing however…

it’s a steal, it’s a loss

Credit card data gets stolen. It’s an identifiable crime. Who (other than the criminals) is liable?
Well was a reasonable attempt made to protect the data? If so, was it reasonable enough? Can you sue for loss of data? (and given the ability to reconstruct shredded credit card bills (cited at the start) are you the cause of the data breach?)

Apparently no. If data is lost (in the post) or stolen, there is no case until the data is used and a victim can be shown to have damages (or have lost money) from the act. If personal data goes missing, is there a lawsuit? Liable or slander is not applicable since the data suggests if not proves that the information about the victim is true. There are privacy charges, but currently there is no privacy law in Ireland. Direct financial damages are possible, but the cost of the case is usually more than the loss? And there is the time it takes…

In the case of the recent UK financial data loss a lot of the data is personal data pertaining to minors. In fact everything needed for identity theft for then the minor becomes an adult. So someone sitting on the data would wait 10 to 18 years to strike. Is there a statute of limitations (or similar) for data theft? Or in this case, identity stolen almost a generation ago?

Well, I have asked more questions than I’ve answered…

Anyone able to answer some of these too?

Take care,
William Knott

With kind thanks to John Looney of Google (for the tech and social angles) and Simon McGarr of Tuppenceworth.ie (for the legal questions and answers)

tags : , , , , , , , , , , , , , ,

16 Oct 2003


Author: will | Filed under: business, data retention, law, legal, legislation

Gentle reader,

Would you like to read some e-mail? Like Enron’s?

take care,