Categories: Privacy

Urban Data Responsibility – The Battle for Toronto

The initial excitement over Alphabet’s Smartcity may be dwindling out of the perception that the tech giant will use the new development in the Harbourfront to collect personal data. The special attention given by interest groups to a project that actually has engaged the public and shown good faith may be giving companies the wrong lesson: Don’t engage the public and no one will care.

For several years, Turn Style, now Yelp Wifi, has captured, linked, and shared consumer confidential data with no public engagement and no protest from advocates.

By protesting against companies who are engaging the public – interest groups may be doing Privacy a dis-service

The project, run by Sidewalk Labs is set to be an ambitious feat which incorporates innovation with sustainability to build a city that is ‘smart’—technology that responds to users to create a highly efficient and responsive landscape. On the one hand, the public is excited for the opportunity to live in a highly efficient neighborhood whose core is sustainability and innovation, and on the other, the public is alarmed by advocates who claim that the project’s data collection and sharing is alarming. The graph below illustrates how feelings of excitement are progressively being overtaken by feelings of fear.

The real question we should be asking is whether the data being collected, is much different from the surveillance techniques we interact with daily. Traffic cameras- the low-tech version to Apples’s sensors- already track our movements. Our Presto cards, now increasingly necessary to use public transportation, store our travel data and can reveal where we live, work and who we travel with. Yelp Wifi is a known data predator, which indiscriminately and without consent tracks Torontonians’ entry and exit into 600+ local businesses. We sign onto unsecured servers to gain access to Wi-Fi when we are at a café or shopping mall, and most of us already give access to more information than we realize via the cellphones we carry and use to share personal information, at all times. Yelp’s retention policy is effectively indefinite. Opting out of their services is definitely not accessible even for the tech savvy.

Here is an excerpt of Yelp wifi data retention:

We (Yelp) retain all Personally Identifiable Information and Non-Personally Identifiable Information until the date you first access the Services or the time at which you instruct us in accordance with the terms hereof to remove your Personally Identifiable Information or Non-Personally Identifiable Information.

I have been following Yelp’s Wifi traction on privacy from when it was a startup on King West called Turnstyle. Their CEO was quoted “I want to desensitize people’s need for privacy”. Their traction on privacy has been disappointing. Reviewing their policies over the years, I found that:

Yelp Wifi’s retention policy is confusing and inaccessible, it violates the reasonable expectation of privacy

In my opinion, and despite all the noise, Sidewalk Labs’ proposal is reasonable. Their Digital Governance Proposal has principles that demonstrate good faith. Meanwhile, advocates are pushing for anonymization, a technique that allows the removal of personal identity from any sensor data.

In this discussion, some argue that the issue is not that Sidewalk Labs will collect data, it is that a corporation is cementing itself—literally—in the place of local government. What access will it have and who will it share our information with?

Like any good government, in order for citizens to have a voice and prevent any giant from taking over—political or corporate—there needs to be checks and balances in place to ensure compliance. In reviewing their proposal, I found that:

The sidewalk proposal is reasonable, however it is missing an important tenant of data protection, that is Audit.

Much like any public corporation that exposes its financial documents to a third party to perform its financial audit, Sidewalk Labs’ proposal is missing the potential of a technical audit by a third-party assessor.

I also find the counter points made by advocates to be lacking. The argument that anonymization offers protections in big data is misplaced:

Anonymization may be moot because data will be released to companies that have other sources to blend

The current negotiations happening are important but unless we understand how they will be enforced and regulated over time, they remain policy when in fact action is needed. This is new territory from a legal, political, and business standpoint and the truth is, Canadians do not have robust protections in place to safeguard them from privacy exploitation. As the law unfortunately drags behind, we must be proactive in how we build our security governance. Privacy audit companies have long been in the business of protecting our data—they ensure information is being stored and shared responsibly and, the way it’s intended.

As we continue to debate the Harbourfront project we must resist falling back onto tropes of progress versus preservation of the norm. Initially, we must realize that our norms most likely share more of our data than we would like. Then, we must understand that change is inevitable, but we have a chance to be part of that change and direct its course. Privacy Auditing allows us the opportunity to consistently ensure that our data is being used in the ways we intend for it to be used.

Now is not the time to step away from negotiations, particularly from a company that is welcoming feedback. How the project is developed and instituted will set a precedence and influence, not only for the Harbourfront area, but what we can expect from corporate governance and the future of privacy laws. It is in our utmost interest to take full interest and engage as extensively as we can to ensure an outcome that keeps its promise of innovation and sustainability.

As a private citizen, I welcome businesses that are open to listening and are engaging the public to expressing their opinion. The effort by Sidewalk Toronto and their partners is a work in progress that will need more attention and third party attestation.

Stay tuned for our upcoming pieces that continue to inform on Privacy by Design in the Big Data environment. 

Categories: Innovation

What I Learned Managing Millennials

A daily routine that includes continuously scrolling through Instagram, sipping kale smoothies, drinking Starbucks coffee, hitting the gym, and hanging out with friends, while still managing to fit in a full day of work is most-likely a Millennial.

Millennial. The four-syllable word that makes thousands of Generation Xers roll their eyes and cringe at the so-called “entitled” and “privileged” group born after the 80’s.

Not all, but most Millennials share the features of a short attention span, an obsession with social media, and a love to socialize. Although this may drive a crowd of Generation Xers to angrily grunt in agreement, from a managerial-perspective, these aren’t negative characteristics. In fact, they are actually valuable elements of a workplace.

In order to be an effective manager, as with all employees, it is important to understand the Millennials in the workplace. Clearly I have a different daily routine as them as I hardly scroll through Instagram and don’t think I could even get through an entire kale smoothie. I started to wonder that if even our daily lives are so different – how different are their expectations and interests in the work that they’re doing?

After discussing with the Millennials that I work with, they’ve explained to me their main priorities and interests. I believe it’s important to integrate these things into the workplace and foster an innovative environment for both them, and myself, as I know that I have a lot to learn from them.

From what I’ve gathered, Millennials’ priorities include: hanging out with their friends, finding a work/life balance, being passionate about the work they’re doing, and using social media to connect with people.

In my experience, these often overlooked interests allow Millennials to be valuable assets in the workplace. Millennials are conditioned to immediacy and will find solutions to get work done quickly and efficiently, with the ability to do several things at once. They are fluent in media, and natives of the digital world, creating innovation in technology. With constant posting and use of social media, Millennials are naturals in communications and marketing. They foster cohesiveness and team-building in the workplace. They thrive on community and naturally build it within a workplace.

Unlike many of us Generation Xers, Millennials aren’t as interested in climbing the ladder or making mass amounts of money as they value these other priorities. Some may not be interested in becoming a leader or gaining status whatsoever. They may be simply trying out different positions for the sake of having new experiences. It’s important to ensure that they are passionate and interested in their work, and that they aren’t doing repetitive, boring tasks. Some of us have spent years doing jobs for the sole purpose of getting a promotion or making money. To those born in this new generation, they focus on pursuing their passions, and focusing on the present.

Most Millennials grew up in a contented environment, where they were given independence from a young age, not under strict authority. This translates to giving millennial workers lots of independence and creative freedom in the workplace. Rather than constantly correcting, or giving strict guidelines, allow them to work on projects where they can implement their own ideas and strategies.

Millennials are conditioned with an ethical value system that Generation Xers weren’t naturally exposed to. Surrounded by ethnic diversity, planet-saving initiatives, socio-economic rallies, and an overall environment that strives for equality, Millennials are aware of the social responsibilities of the companies they work for. They have a balance between their need to excel in their work and their ingrained moral ethics.

Ultimately, we all have a lot to learn from the Millennials in our workplace, and they have unique perspectives that should be heard. Acknowledge and understand the differences you have, and incorporate them into the workplace to create a challenging and thriving environment.

 

By Wael Hassan and Tessa Barclay

Categories: Security, Uncategorized

An Enterprise Legal Reference Model

We have developed an enterprise reference model used to conceptualize enterprise elements. The model suggests three planes:

  1. Subject and role-grouping plane: In this plane, the subjects are grouped into roles. Roles reflect subject access rights into the processes and activities of the middle plane.
  2. Process and activity plane: Here, processes are organized in a hierarchy which includes activity graphs.
  3. Object plane or data plane: This is the plane of data object identifiers. Objects enclose data.
Governance Analysis Method - Enterprise Reference Model
Enterprise Reference Model

These three planes are connected by mapping from the subject plane to the process plane. Mapping represents a logical association usually indicating right of access, or operating on an object to complete the process. Our method will focus on the top two layers of the reference model, namely the subject and the process layers.

The layers can be described as follows:

Subject plane

The subject plane includes the user groups and their roles. In enterprise governance requirements, a user or a group of users (a role) can be the subject of legal requirements. For example, the privacy or financial officer is a role defined by laws such as PIPEDA and Sarbanes-Oxley (SOX). Role formations are not mandatory, but they are almost pervasive in enterprise definitions. There are numerous references in legal requirements to role groupings.

Process plane

The process plane defines the process workflow. The process flow has the ability to implement process requirements, which are requirements that specify process compositions, in addition to precedence relations between activities. The process plane acts as the intermediary between the subject and object planes. It assists in mapping processes to the object layer. A mapping defines an explicit ‘reachability’ relation from users to activities and to objects. Semantically, a relation between an activity and an object means that the activity has access to an object. Given that there is a strict mapping between objects and activities, we shall consider access to an activity equivalent to object access.

Object plane

The object plane consists of object references. These references can also refer to composite objects. Our method will focus on the top two layers of the reference model, namely, the subject and the process layers.