April 4, at 10am Pacific, Oracle Identity Management (@OracleIDM) will be
hosting a twitter conversation on privacy (#PrivQA). I am pleased to confirm
that the Ontario Commissioner of Information & Privacy, Dr. Cavoukian will be
joining the conversation. In particular, I would like to encourage privacy and
security industry folks to participate. For more information, see our recent
newsletter Q&A (http://www.oracle.com/us/dm/nsl100162749-qadrcavoukian-1919966.html)
with links to her whitepaper on privacy by design (PbD).
Privacy is an issue that has been of concern to myself and many other industry
professionals. Most of us continue to be amazed that for the most part, both
users and the application developer community simply do not care. When the
subject arises, eyes immediately shut with yawns soon to follow.
Yet, every day, more and more problems emerge in the industry that are leading
to monetary and even physical harm. For example, financial fraud appears to be
exploding fuelled by easy access to personal information available on social
services. Fraudsters combine social demographic information to leverage weak
classic communications media like fax and telephone to convince financial
institutions to transfer funds (http://www.fcac-acfc.gc.ca/eng/consumers/fraud/onlinefraud/social/).
In another case, access to private information in Google, apparently enabled
hackers to compromise Mat Honan's Apple accounts, even remotely wiping out his
laptop, iPad, and iPhone (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/).
Here, where I live in BC, there is the sad story of Amanda Todd, who was
bullied to the point, she committed suicide. Was this a lack of privacy? Was
there a lack of appropriate anonymity? Was this poor system design? We
are only just beginning to understand how far reaching privacy issues can be.
These cases also show there are some interesting relationships between
anonymity, privacy, and security that need further exploration. Do I need to be
anonymous? I live an honest life, why do I need to keep my personal information
private? Why should I care about anonymity? The system is secure right? Nobody
asks who is the security intended for. What motivates the service providers?
What damages do they face in the event of real losses? We are now discovering
that while we may have the best of intentions, the fraudsters out there do not.
Boring as the subject of privacy may seem, we should all be worried. We should
Dr. Cavoukian's efforts to get our industry to start thinking about
Privacy-by-Design are to be applauded. I'm not sure where this will go, but I'm
glad this conversation has started. Remember to join in the twitter
conversation on April 4 at 10AM (Twitter hashtag #PrivQA).
Hunt joined Oracle as part of the November 2005 acquisition of OctetString
Inc. where he headed software development for what is now Oracle Virtual
Directory. Since joining Oracle, Phil works as CMTS in the Identity Standards
group at Oracle where he developed the Kantara Identify Governance Framework
and provided significant input to JSR 351. Phil participates in several
standards development organizations such as IETF and OASIS working on
federation, authorization (OAuth), and provisioning (SCIM) standards.
Phil blogs at www.independentid.com
and a Twitter handle of @independentid.