CIPP Guide » Information Privacy

Wikipedia and Amazon opt out of UK controversy

jbrook — Mon, 20 Apr 2009 19:09:22 +0000

Amazon and Wikimedia will sidestep the storm brewing around Phorm and the British ISP’s. Last week, after the announcement by the European Commission that charges would be brought against the United Kingdom for failing to conform to the EU Data Protection Directive, both Amazon UK and Wikimedia announced they will not participate in the behavioral advertising vendor’s work.

The BBC reports Amazon UK spokesman Craig Berman released a statement: “We have contacted Webwise requesting that we opt out for all of our domains.” The company declined further comment on the decision rationale. “All we’re saying is we’ve chosen to opt out,” he said. “I don’t know if they’ve even implemented anything yet.”

In an email posted to the Wikimedia tech blog Thursday, Wikimedia stated:

“The Wikimedia Foundation requests that our web sites including Wikipedia.org and all related domains be excluded from scanning by the Phorm / BT Webwise system, as we consider the scanning and profiling of our visitors’ behavior by a third party to be an infringement on their privacy.”

In a statement, Phorm said: “There is a process in place to allow publishers to contact Phorm and opt out of the system, but we do not comment on individual cases.”

The Open Rights Group urged major Internet companies to opt out of Phorm each time more circumstances come to light, said it was very pleased with Amazon’s move.

“By choosing to block the contentious online advertising system from scanning its Web pages, these firms have taken the positive choice to protect their users’ privacy and their own brands. We expect more sites to block Webwise in the near future and ISPs to drop plans to snoop on Web users.”

As the European Commission moves further with their case against the United Kingdom, and more publicity surrounds Phorm and Webwise, everyone should expect more companies trying to distance themselves from the situation.

EU begins legal action against UK over privacy

jbrook — Thu, 16 Apr 2009 22:56:29 +0000

The Europeans value privacy; it is a fundamental human right in their eyes. Every country which forms the European Union joined agreeing to several stipulations. One of those surrounds human rights and privacy, and is a very popular topic for a CIPP. The European Union’s Data Protection Directive 95/46/EC constitutes a comprehensive privacy model, promoting an EU citizen’s data privacy regardless of who holds it, for what reasons or uses, or when it was collected. In particular, Article 7 of the Directive asserts:

Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

This treatment of personal information held quite a bit of headache for multi-national companies with sensitive HR data or customer relationship information. These problems were eventually ironed out between the EU and the US Department of Commerce through the passage of the Safe Harbor program in 2000. The Center for Democracy and Technology gives a tidy summary of the Directive and international responses.

Intra-EU privacy was supposed to be quite well understood. Except by the British it appears. The European Commission began legal action against the United Kingdom Tuesday for failure to “ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user’s consent.” In other words, not following Article 7. To be fair, the 27 EU Members have had 90 cases of some sort of action brought against them, so the British are not in the minority.

The action, says EU Telecoms Commissioner Viviane Reding, relates to behavioral advertising company Phorm, and Internet Service Providers (ISPs) usage of the technology. Apparently, British Internet users complained about interception and surveillance of their surfing habits. The Federal Trade Commission brought similar behavioral US marketing problems to light in February.

“Technologies like Internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules,” Reding said in a statement. “We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of the EU rules on the confidentiality of communications.”

For the United Kingdom, there has to be some question of sovereignty mixed in with the privacy lapses. EU Member States “cede part of their sovereignty under treaties which empower the EU institutions to adopt laws”. If Britain fails to come in line with the privacy protections from the Directive, Reding has the power to force the country to appear before the EU’s highest court, the European Court of Justice. The Court of Justice can thereby force Britain’s compliance.

Finland's Fingerprinting Fiasco? Centralized private records database accessible by police

jbrook — Thu, 05 Feb 2009 19:08:08 +0000

A bill expected to be presented to the Finnish Parliament today will require all citizens and anyone who applies for a passport or travel documents through Finland’s borders to end up in a centralized fingerprint database. This information will not only be accessible to customs and immigrations officials, but also by police. The justification for such action lays in the June 28th European Union’s Member State travel document requirements.

This seems to fly in the face of EU’s Privacy Protection Directive, and a long history of pro-privacy government. Finland was one of the early participants of a group called the Organization for Economic Cooperation and Development (OECD), signing up in 1969. The OECD’s eight privacy principals served as a baseline for private data handling within member states and included such items as collecting the minimum amount of information necessary and limitations of use for any data collected.

Finland’s not the first country to register this sort of information – Singapore’s been doing this for several years. They keep all of their citizen’s data (including fingerprints) in one big database called the Central Identification and Registration Information System (CIRIS). It not only covers Singaporian’s, but includes anyone that passes through their customs and immigration checkpoints. Granted, it’s protected through several security mechanisms, they’re a much smaller country land-wise and not affiliated with Europe or it’s wartime past indiscretions, but the population difference is less than 600K in Singapore’s favor and the economic influence of the tiny island can’t be ignored.

Why the parallels to Singapore you may ask? Pedigree. Singapore is part of the Asia-Pacific Economic Cooperation and (mostly) abides by the APEC privacy framework. The nine principles of the APEC privacy framework mirrors the OECD’s eight, including both the Collection Limitation and Use Limitation principles. The CIPP covers all of this history and evolution between the various privacy assurance concepts.

Finland might look over some of Singapore’s justifications for private data centralization in selling this to their citizens. Are they collecting the fingerprints just to have them on file? Maybe someone somewhere might do something criminal?

The Google translation of the Finnish government’s statement is here.

NSA spied on journalists during wiretapping program – an analysis of the hype

jbrook — Tue, 27 Jan 2009 03:52:16 +0000

Last week, on “Countdown with Keith Olbermann”, former NSA Analyst Robert Tice reported that the NSA spied on journalists as part of their Wiretapping program to root out terrorism. The media has a way of editing/hyping stories, so let’s play Devil’s Advocate, and examine what the interview actually charges for violations of privacy rights.

First, Mr. Olbermann points out several inconsistencies within the Bush Administration’s handling of wiretapping. Originally, the wiretaps required court orders. Then interception of international communications are only for people with clear and known links to terrorist networks. Mr. Tice states from his observations that ordinary citizens were also monitored:

… the National Security Agency had access to all Americans’ communications, faxes, phone calls, and their computer communications. And that doesn’t — it didn’t matter whether you were in Kansas, you know, in the middle of the country, and you never made a communication — foreign communications at all. They monitored all communications…

There is a bit of media hype to what Mr. Tice points out. This has nothing to do with choosing the journalists’ communications or spying on domestic citizens. This has to do with networks and the way modern monitoring works.

In the olden days, a telephone communication created an actual circuit aptly called a circuit switched network – one pair of wires connected from one side of the call to the other. To listen in, a law enforcement official simply plugged themselves in between the single channel. From the phone company’s standpoint, individual cir is somewhat inefficient and doesn’t scale well. Eventually the phone systems went to what is called a packet switched network. This method dices the communications into pieces, shipping them to the end caller through whatever direction they will reach the other end. The pieces don’t need to follow the same path throughout the call. In some communications, understanding the next piece depends on the previous piece. In other words, it’s all or nothing.

Now follow what these facts imply: the tapping of terrorist communications requires gathering more than simply a couple of wires that cross the Atlantic. Tice himself points out the difficulty of this situation:

Well, it’s actually, even for the NSA, it’s impossible to literally collect all communications. Americans tend to be a chatty group. We have the best computers at the agency, but certainly not that good.

So instead, the agency would inspect all of the “meta data”, or signaling information such as phone numbers, IP addresses, call length and the like. The meta data allowed removal of numerous communications that don’t fit a profile so that analysts such as Mr. Tice may review a more manageable amount of information. Mr. Tice recalled:

… in one of the operations that I was in, we looked at organizations just supposedly so that we would not target them. So that we knew where they were, so as not to have a problem with them.

Now, what I was finding out, though, is that the collection on those organizations was 24/7, and you know, 365 days a year, and it made no sense. … But an organization that was collected on were U.S. news organizations and reporters and journalists.

The Foreign Intelligence Surveillance Court of Review affirmed the wiretaps were in fact not in conflict with the Fourth Amendment’s warrant requirements for collection of foreign intelligence of American citizens. This was a focused ruling, and does nothing with respect to other rights. This includes such Constitutional heavyweights as the First Amendment, which directly references journalists: “Congress shall make no law … abridging … the freedom of the press.”

In the second part of the interview, Olbermann cites the New Yorker Magazine article last year where, through a series of intertwined relationships, reporter Lawrence Wright’s daughter ended up as a person of interest connected to terrorism:

…the FBI had asked (Wright) about phone calls he made to a British lawyer who was representing former jihadist, calls the FBI thought were made by Wright‘s college aged daughter. More than wire-tapping was at work here. The name of Wright‘s daughters was not in the phone records. So how the hell, Wright demanded, did the FBI know his daughter‘s name.

It sounds like the NSA program worked. The FBI handles domestic federal investigations. Intelligence ended up in the FBI’s hands regarding an overseas, foreign telephone call discussing someone connected to a terrorist, albeit indirectly. With the popularity of Universities in the 9/11 bombings and several cases since (a certain University of South Florida professor springs to mind), an investigator/analyst somewhere connected a couple of dots incorrectly.

The next rhetorical question: does the threat of being spied on cut short or curtail (definition of abridge) journalists. I’m sure there’s a legal debate there somewhere. As for putting together financial records, the government’s been tracking large money transfers for quite some time in an effort to fight drug money laundering, mob racketeering, and a whole host of other reasons. Marrying that information to the wiretaps could limit false positives?

It’s all a slippery slope, and with the appointment of less conservative judges over the next few years, maybe privacy rights will slide back towards those of the individual. One thing’s for sure, there haven’t been any domestic terror acts in the last 8 years. At what cost and whether it’s just luck is another story.

Here are links to the Olbermann/Tice video (part 1 and part 2) and transcripts (part 1 and part 2).

Privacy and Messaging through Postini

jbrook — Thu, 01 Jan 1970 03:59:59 +0000

Postini is Google’s 2006 acquisition for secure messaging, and a direct competitor to IronPort. All of their offerings surround Software As A Service (SAAS), matching directly with Google’s overall technology strategy. They provide several services, including web security, anti-spam/malware, mail filtering, and archival with indexing. The Data Leakage Prevention capabilities provide privacy protections through outbound communication filters. Additionally, there are management tools and continuity procedures appropriate for enterprise use.

Postini’s background technology stems from threat assessment and message parsing capabilities, grown through several years as a primary mail provider. There are two major patents, with a variety of claims following each one. The first patent surrounds on-demand message scanning and routing. The geographically distributed Postini data centers proxy all communications (corporate, wired, wireless, portal, etc) and filter the communications appropriately, removing viruses, spam etc. The second patent centers on threat detection and control, and methods for generating and processing a sender/ISP/country’s reputation and then acting accordingly.

The technology doesn’t seem that revolutionary today, and the online documentation frequently references the existence of prior art not mentioned in the patents. However, from a security perspective, the techniques Postini uses are sound. Communications between Postini and corporate mail servers are TLS encrypted. This allows additional features for Data Leakage Prevention by both companies. The Intrusion Detection, Anti-virus, and Anti-spam filters are all independent of the networking infrastructure, and likely include best of breed solutions whenever there’s not a better trade secret/patent in-house. Postini uses portals and web services for sending messages to non-subscriber recipients. The portals guarantee messages are not susceptible to a man-in-the-middle attack.

The Message Security and Message Delivery services offer content filtering for Data Leakage Prevention. There are consoles and rule engines for policy definition, as well as canned Personally Identifiable Information (PII) controls for things like Social Security Numbers or credit card information. The GUI apparently delivers enough rule granularity to at least filter attachment types and perform in message word detection.

Postini’s technology does not address malicious insider activities and could be its biggest weakness. This becomes more of an issue when examining the Google addition of archival and search. Site administrators may configure Postini for secure communications between corporate partner mail servers, and even make this a policy based requirement for some message delivery. This secure communication eliminates privacy issues between the corporate email servers and the Postini data centers. It does not, however, account for a messages time on disk or in use. Trusted insiders at the sender’s or recipient’s locations may manipulate or view messages. From a third party point of view, administrators at the Postini sites could possibly have enough access to circumvent many of the same protections. On Postini’s provider end, at least within Google, record access rights are strictly controlled with procedure.

Google’s approach to pricing is the most attractive part of the Postini product. It follows the principals of scale, expecting more consumers at a lower tipping point. For $3 annually per user, Postini provides inbound email filtering (Message Filtering) for viruses, trojans, spam, etc… At $12 annually, Postini does the same for outbound messaging and adds content and attachment conttrols as well as policy monitoring and centralized administration (Message Security). The $25 per year includes the archival and search features Google threw into the mix (Message Discovery).

Google "face-blur" technology better preserves privacy

jbrook — Wed, 14 May 2008 16:44:53 +0000

The idea is great. If you haven’t used it, check out the Street View button when using Google Maps. It’s interesting to see places you haven’t been on a virtual tour, similar to what the Realtors use for their online home tours. It doesn’t cover everywhere, simply because it requires feet on the street. However, most of the big metropolitan areas have at least some footage.

Unfortunately, users found a problem with Google Street View shortly after its introduction. The camera’s caught people in the act – of whatever. It was sensationalized by the New York Times coverage of the privacy of Mary Kalin-Casey’s cat. Wired Magazine even held a contest for the best pictures captured by the new Google maps extension, including the gentleman caught alongside the highway in San Bruno, CA relieving himself. It was kind of fun in a Where’s Waldo sense.

With the newest revision of their software, Google automatically blurs faces announcing,

“We’re also taking this opportunity to test our new face-blurring technology on the busy streets of Manhattan. This effort has been a year in the making — working at Street View-scale is a tough challenge that required us to advance state-of-the-art automatic face detection…”

Its anyone’s guess, but Google will likely replace existing street maps with the new sharper resolution and anonymized versions. They’re starting with Manhattan, for the obvious population density. We’ll see where they go next.

There are numerous applications of this sort of technology. The blurring itself is not that impressive. Cops have been doing it for those presumed innocent for years. And recognizing a face within a single frame is now built into cameras. Research into novel facial detection and search capabilities continues – it’s a tough problem, accounting for lighting, angles, profiles, etc. A product calling itself Google Portrait (although not affiliated with Google) finds pictures in a search I tried for Barack Obama.

The 2001 Tampa Super Bowl was the first big privacy splash with this sort of technology, where attendee’s faces were plucked from surveillance cameras and compared against a person of interest database. Critics considered this an invasion of privacy. In the debate, a UCLA law professor, Eugene Volokh rang in his opinion.

“There’s no Fourth Amendment problem if the government is simply observing — or even recording — what goes on in public,” Volokh says. “For constitutional purposes, that’s just not a ‘search,’ because there’s no legitimate expectation of privacy. Nobody thinks that their appearance at the Super Bowl is something that is hidden from the roving eye.”

For the original privacy issues, Google’s response appears manual, in several instances simply re-filming or deleting frames. Google will always have a tough problem on their hands. They warehouse more information than anyone else in the world. This latest feature shows the company’s commitment to its reputation; they listen to their customers, and when something becomes a front page headline, they react with cutting edge technology. If they don’t, you’ll be learning the rules and regulations they will face in legislation covered on the CIPP exam.

Information privacy Way Back when?

jbrook — Wed, 14 May 2008 04:20:24 +0000

Have you ever visited archive.org or used their Way Back machine? It’s a catalog of the Internet, and in my opinion one of the most ambitious projects undertaken. The sheer volumes of data astounds me. They don’t measure in Gigabytes, Terrabytes, or even Petabytes. They’re into the Exabytes, and pushing beyond. Cloud computing (and Jeff Bezos) don’t look quite so foolish now.

The site’s mission is to preserve the historical aspect of the net. Granted, some of my earliest ‘net memories aren’t quite the same without the VGA resolution monitor, Netscape, Windows 95, or modem chirps, but the pages are accurate.

The same issues surrounding public records (see the recent interview w/ Barbra Symonds) exist with the Net’s archival. Storing that much information at anyone’s fingertips can be dangerous, especially without any controls. I’m not a proponent of regulations; more so of education. So here goes:

If you’ve played around with Google Hacking or Search Engine Optimization, you probably know a page taken down remains in a search engine like Google’s cache indefinitely – more or less. If it’s instead updated, it’s reindexed and the cache changes.

That same page remains on the Way Back machine – not reindexed, just indefinitely. No updates, no cache changes, just another revision for another month/week/day. Elliott Spitzer’s call girls – indexed. Paris Hilton - logged. The Virginia Watchdog’s privacy work – stored.

Even if a judge orders a cease and desist in the latest scandal, and the site is taken down, most judges are not tech savvy enough to understand the ramifications of the web and the proliferation of digital data. The people who wanted the info already have the Virginia congressman’s social security info, or the former Florida Governor’s Social Security Number on a house purchase. The judge simply can’t erase every person’s hard drive, and nothing’s preventing any one of those individuals from reposting it.

The privacy implications are obvious; the web’s persistence is unyielding. The laws and regulations studied as a Certified Information Privacy Professional (CIPP) exist, but legislation lags the world of technology, most times significantly so.

Let’s face it. Your personal information won’t change any time soon. Your mother will still have the same maiden name, your Date Of Birth (except for women) will remain constant, and without serious appeals, your Social Security Number isn’t going anywhere. Once it’s out there, it’s out for good. And site’s like the Way Back machine will perpetuate any disclosures. Again, it’s not a good thing, or a bad thing, but an education lesson.

Those typos I made 7 years ago in a conference submission – even without the Net’s archive they’re still there, with a relatively high page score. Almost wish I’d spell checked one more time.

Upcoming interview w/ Barbra Symonds, CIPP/G

jbrook — Fri, 02 May 2008 22:44:19 +0000

An interview with the Barbra Symonds, Associate Partner with IBM, and former IRS Director of Privacy & Information Protection, and before that project manager for the Veteran’s Administration’s Privacy policy will appear on the site within the next 7 – 10 days, pending approval. Barbra was part of the original group that defined the Certified Information Privacy Professional for Government (CIPP/G). It was a great interview, with some timely comments on the state of information security and information privacy.

Password hacking with chocolate: Are women more susceptible to social engineering?

jbrook — Thu, 24 Apr 2008 10:00:01 +0000

The Mitnick attack. The 10 attack. Social Engineering. Each of these emphasize how readily people part with valuable information to someone posing as an IT staffer, a very attractive member of the opposite sex, or someone friendly. You may now add candy bars and women…

No matter how you slice it, the weakest point in any security program ends up being the end user. User training seems to work with frequency of message, but without hearing the importance of security it seems quickly forgotten.

That is of course, unless the message starts at the top with a strong corporate policy, well understood consequences, and swift consistent enforcement. During my security training (I believe my CISSP), the instructor shared an example of a large, Canadian company with a zero-tolerance policy toward password disclosure. A Sr. V.P. within the company did just that with his secretary. During an audit, the IT staff discovered the VP logged in while on travel in 2 separate places, checking email. The VP was immediately terminated, the secretary put on probation.

This information trickery is the same idea as pre-texting in the privacy world . A caller (typically) phones a target under some false pretext, such as a survey or sweepstakes winnings. After ‘verifying’ enough publicly available information, such as name, street address, phone number, additional information is provided incorrectly or incompletely, typically date of birth, mother’s maiden name, bank where winnings may be deposited or social security number to report the winnings to the IRS.

Once armed with this information, the assailant calls in to the bank after ‘losing’ their checkbook, or simply requesting a change of address. From there, enough information is in in hand to (hopefully only) clear out the checking account, or continue with a complete identity theft. Banks and retail merchants are recognizing this trend and are putting further and further measures in place to protect their customers.

Security is one of the five domains integral to the Certified Information Privacy Professional (CIPP) and for good reason. The chocolate and the sweepstakes winner are the same problem, and mitigated through the same policy and training. Now if we could just convince the user populous – if it seems to good to be true – it probably is.

eDiscovery – Could the obvious approach put too much private information into one spot?

jbrook — Wed, 23 Apr 2008 10:00:00 +0000

Electronic Discovery, or eDiscovery, is the digital analog to a court request for documents and files pertaining to a proceeding. As with anything digital, the courts expect discovery times in days and weeks, versus the months (years) given for paper files. Punishments for failure to produce could be regulatory, legislative, or may even include court based consequences such as contempt charges. In a recent survey by Information Security Magazine, only 28 percent of respondents knew how they would handle an eDiscovery request. Even knowing where to look seems a daunting task. I have trouble at times finding a matching pair of socks in a 2′ x 3′ drawer.

Well prepared companies develop policies. Some buy eDiscovery or search software. Even better prepared Configuration Managed CMMI level companies define procedures. They begin data inventories. This is where I see it becomes interesting…

A typical company has a lot more data lying around than they really expect. Think about a day in the life of an enterprise. Email, IM, network file shares, database records, log files, security devices, executive summary reports, backup tapes, the list goes on. That’s not even considering end workstations, laptops or PDAs (where the majority of people I know do their work) or decommissioned hardware (there’s still data on those things), CD-R/DVD-Rs or other removable media. I’m sure you see the point; there are a ton of sources. That’s only half the problem.

If you ever learn about government data classification, there are three reasons something’s classified. It contains important information, the source of the information is important, or the information amalgamated from various parts into one location makes it important. This is why identity thieves hack corporate databases; it’s the proverbial ‘where the money is’ or until now the most consolidated repository.

So now let’s offer them a juicier target! Put the map to Curly’s Gold, and the Lost Dutchman’s mine, and all the rest of them In one location. Insiders and outsiders alike should be clambering for it, with the idea that you can pick and choose what’s most interesting. Want the network architecture diagrams? IT admin’s machine, here’s the IP address. Customer Personally Identifiable Information (PII) database? Oracle server’s on the fourth floor, want the table configs. Corporate strategy or yet to be released financials, aisle 12…

This is why most government documents become classified. Someone did the hard research and heavy lifting. Anyone that can put their hands on it just has to cite the paragraphs they want to look omniscient, or at least very well informed. A perfect example is an enterprise firewall rule set; the outgoing Port Allows from one site don’t provide much; couple the complete configs of all of the boundary protections and you have something someone may do harm with.

To counteract the centralized data repository threats from an infosec standpoint, we will put in place perimeter protections, audit the systems for hackers & insiders alike, instantiate policies as far as who should access what information with what sorts of separation of duties, etc… 10 years ago this was all pretty cutting edge and wild west gunslinger-esque. Today, it’s called industry best practices.

My question becomes one of Information Privacy and Policy: who’s keeping the snoops from browsing the celebrity hospital records? Or placing obviously needed controls prior to simply supplying all information available? Or when it’s just flat out wrong?

Seriously, who should have access? One of the better known companies that had to tackle this problem: Google. Every search made with Google winds up in a very big database with information such as IP addresses, search terms, etc. (ever read the privacy policy?). This much data in one spot is tempting, but it’s somewhat anonymized (recently), and according to Google security folks I’ve talked to, very well controlled by corporate policy and enforced with security protections. Only a handful of people have access, physical and logical. I would say Google may be the exception. Obviously, the end court will receive a redaction: if it’s pertinent to the case, they’re entitled to it by law. But someone has to do the sorting. Is it the attorneys, the IT staff, the management? Current Insider threats are hampered somewhat by the hard work of inventory and cataloging; they target the low-hanging fruit. Now, the most accessible jobs, probably interns and juniors, may be sorting the records considered for evidence.

What happens when the collected information comes from a company you worked for the past 20 years, and it comprises your whole life story, laid out on a silver hard drive platter? If they get parts of it wrong, producing inaccurate reports that slander your good name by opening lines of question well outside the original case? The Fair Credit Reporting Act legislation protects your credit info with the credit bureaus. Nothing right now controls eDiscovery accuracy. That’s not that big of a deal, with the idea being this info will ONLY be used in judicial proceedings or congressional hearings (steroids in baseball), and in those you start down the witness credibility path (I guess data creator credibility would be more accurate).

Do we need more legislation for protecting these huge information stores and location roadmaps, or can we rely even more heavily on information security professionals to instantiate further best practices? I’m a smaller government kind of guy, so I’d prefer industry policing. Unfortunately with the exception of the Payment Card Industry’s (PCI) work, the government has stepped in to clean up most of the debaucherous messes self regulatory models let through. Typically, once laws are enacted, industry conforms to the letter, doing the bare minimum to comply rather than what would be in the best interest of their customers. Just think of how far HIPPA falls short.

Obviously, there’s a great deal of work to be done with eDiscovery. Maybe the attorneys will make sure it’s done in the right way?

Hey, I found that black and grey argyle I was looking for…