Friday, 21 August 2015


I'm pretty sure this is just hot water...

"Ceci n'est pas te."

Maybe we need a better semantics for what tea (and coffee) actually are... and not this kind of "treachery"!

Maybe it is homeopathic tea?

Tuesday, 18 August 2015

On Being Privacy Risk Adverse

Being risk adverse in [IT] system development isn't always a bad idea - consider mainframe technologies which are constructed to avoid any kind of failure bringing the whole system down, or not using the latest, greatest JavaScript library for your mission-critical web development...

Risk management in privacy has come to the fore of late, especially the with publication of the NIST standard of risk management. So today's conversation about being risk adverse and how one assess risk in privacy was extremely interesting.

Consider this:

Collecting personal data (or PII) is a risky activity and therefore must be minimised as much as possible.

The definition of personal data is very weak, but it is always best to consider almost everything personal data in case it is cross-referenced with other data (which would make it personal data)


Don't collect anything. Ever.

While extreme, it shows how a misplaced understanding is many aspects, including what is risk and the nature of information (personal data) can lead to extreme situations and conclusions.

While NIST is absolutely correct in its assessment that we need proper risk management procedures, how these relate to requirements, information type and all of the other privacy ontological structure is as yet very, very weak.

In fact, terms such as personal data and PII do not come even close to being in any form usable for risk management - for this we need to go much deeper into the nature of information. For example, instead of "personal data" we could use classifications on information type and a mapping from different kinds of data (of these types) to risk metrics (note the plural). An overall risk value can then be more accurately calculated - or at least be calculated on the basic of what information we actually have.

You can read more about this approach to privacy engineering in the book: Privacy Engineering - a dataflow and ontological approach.

Monday, 17 August 2015

Google Blogger and EU Cookie Laws

This is very kind of Google...providing you with an automatically generated privacy notice to European customers as detailed on the Blogger settings page:

This to me highlights a few problems with privacy laws and compliance:
  • Firstly, you have to understand EU privacy laws
  • You have to understand how to write such a notice
  • You have to understand what systems such as Google Analytics etc actually collect and process.
  • You might have to provide an opt-out mechanism such as Google's Analytics Opt-Out.
For 99.999% of bloggers (+/- a few %age points), I strongly doubt that any of this is understood or even known about at all.

So while Google might come in for some criticism for its dominance in the information gathering domain, they at least try to make things easier for their customers.

Then there's the EU Cookie Consent Kit which guides you through at least one part of the consent notice maze.

As an exercise, write a simple work out what privacy notice you should display. Just to make it interesting, you are not allowed to have any contact with a privacy lawyer nor anyone who has a detailed knowledge about such things.

This quote by Einstein (often misattributed to Feynmann) sums up privacy laws and the average person writing a blog:

You do not really understand something unless you can explain it to your grandmother

Our privacy laws have become so complicated and often so misaligned with technology that they can not be easily understood by the average Internet user.

Saturday, 15 August 2015

Internet Marketing (Humour)

People often ask privacy professionals how they lock down their PCs to prevent loss of their data, tracking etc, or whether they use Facebook, Twitter etc...well the truth is, privacy professionals tend to be quite selective on what they post, and in some cases, leave one or two browsers or PCs deliberately open for various reasons. One is to game advertisers, or maybe to examine what advertisers and marketers are actually doing.

One thing I have noticed is that certain retailers, for example Gigantti of Finland comes to mind, obviously pass my purchase details on to some marketer/advertiser. I don't ever remember being asked to opt-out of this, but, I do now get adverts for the things I've just bought. They could redirect their advertising budget and remove a few middle managers and save a pile of cash instead...

Then there's things like this:

I must admit I love these; I never click on them, but without such crap as this, the Internet would be a lot less let's start.

Top left...doctors are annoyed at a 53 yo mother because she's found a miracle cure to wrinkles. I'm actually more surprised that it isn't cosmetic companies who are annoyed - surely they're the ones who'll be put out of business. I think doctors (even cosmetic surgeons!) have much more important things to worry about. Then you have to ask, "Who is this woman?"  Surely if she's upset so many doctors and discovered a miracle cure for wrinkles why isn't she on magazines, TV or even Oprah?!

Top women don't want other diets, just a pill that is exceptionally powerful. I guess this is some kind of diet pill and again I'm sure dieting companies would be more than interested in this, but...On the other hand I'm not sure that most women want to go from being normal and healthy to a misproportioned anorexic.

Top right...same again, except a selfie-obsessed, European looking blonde (so it isn't just asian women who know about this) receives a malformed, badly photoshopped lower body by using some secret Asian fat burning trick...

Bottom left...SIPOO?!?! If there are millionaires in Sipoo with that kind of yacht then they're probably getting its wreckage salvaged from the islands in the archipelago after they've run aground. Monaco would have been better idea with that size of yacht and the climate better for all those trees and the swimming pool. Nice use of IP geo-location to personalise that advert to me; almost had me fooled for a moment.

Bottom middle...I have those vegetables in my fridge: broccoli and coriander...sorry, kale and cilantro. Another interesting medical claim and I'm left wondering how those vegetables target those specific areas of your body and how this hasn't been discovered before given that we humans do eat quite a variety of vegetables. I wonder what would happen if you would dilute these vegetables in a big vat of water, shake it, dilute it again, shake it and so on until only a trace of the memory of the vegetables is left?

Bottom right...this is easy for a privacy professional, the EU have already come to your rescue with the Right to be Forgotten. Though I guess if getting out of your Ferrari while posting for the waiting paparazzi is your thing, then the right to be forgotten is probably way down on your list of things to worry about. Unless of course there's that picture in Hello magazine of your looking frumpy and which cases I can recommend a miracle pill and two vegetables to help, and if there's any left over skin after the diet, there's a 53yo mother you can talk to; assuming you can get past the rioting throngs of doctors baying for her blood...

Marketing and advertising with a touch of personalisation, the Internet wouldn't be the same without it :-)

Thursday, 13 August 2015

A Privacy Mind Map

I found this in my archives, basically a mind map of thoughts I had on privacy as viewed in different contexts at that time. I won't write more for the moment, but I'll place the mind map here as it might be interesting, or even spark a discussion to two...

A Privacy Mind-Map