Archive for the ‘Identity Management’ Category

5 Jan 2017

Privacy Tech-Know Blog Your Identity: Ways services can robustly authenticate you


token

Traditionally, we have logged into online systems using a username and password. These credentials are often being compromised, however, when databases containing them are breached or we are tricked into providing the information to fraudulent individuals or websites (often through phishing or other social engineering attacks). Once these credentials are compromised, attackers can use them to log into the associated online services. Even worse, because people often reuse their usernames and passwords, the attackers can access multiple services.

In order to better verify that it is actually you submitting the username and password, organizations are increasingly turning to multi-factor authentication (MFA). MFA requires you to present multiple types of authenticating information, such as, for example, a username and password along with a unique code displayed on a token or smartphone. MFA can stymie attempts to log into a service by guessing your password or using stolen usernames and passwords. A related, less powerful technique is two-step verification which requires two pieces of information of the same kind of factor, such as two pieces of information that you know, while MFA requires you to present multiple types of authenticating information.

Read the rest of this entry »


8 Dec 2016

Privacy Tech-Know Blog: Uniquely You: The identifiers on our phones that are used to track us


techblog-uniquelyyou

Canadians’ mobile devices are filled with applications that collect personal information, including identifiers that are engrained into different parts of the devices. But what exactly are these identifiers, and how are they used?

An identifier is a piece of information (usually a sequence of characters) that’s used to uniquely identify a device, a user, or a set of behaviours taken on the device. Mobile identifiers constitute privacy-affecting technologies because they can be used to correlate an individual’s various activities while using a phone, tablet, or other connected device, and they support the linking of devices with actual persons.

Our mobile devices are filled with identifiers that uniquely label different components and behaviours. The radios and other physical hardware, operating systems, applications, and even web browsers are all rife with identifiers that can uniquely identify the device, the person using the device, or the behaviours of the user. And while these identifiers are typically meant to serve a useful purpose, the user is often unaware that these identifiers exist or how they’re collected and used. We will outline several of the most prominent identifiers associated with mobile devices and their significance for privacy.

Read the rest of this entry »


2 Sep 2015

Child sweepers share observations on web/mobile app privacy


Commissioner Daniel Therrien visits with children during Kids Privacy Sweep.

Privacy Commissioner of Canada Daniel Therrien pops in on Global Privacy Enforcement Network Children’s Privacy Sweep where a few kids are on hand to help.

A children’s privacy sweep with no children? In the words of cartoon curmudgeon Charlie Brown, “good grief!”

. . . and that was roughly genesis of the Office of the Privacy Commissioner of Canada’s (OPC) first ever Kid’s Sweep.

Nine youngsters, the offspring of OPC employees who also participated in the Sweep, descended on 30 rue Victoria one early May morning during International Sweep Week.

Fuelled on promises of pizza and cookies, the seven to 13-year-old boys and girls parked themselves in front of the laptop or tablet of their choice. Their job? To interact with their favorite apps and websites, thus recreating the user experience under the watchful gaze of their parents who took notes on how they navigated the privacy settings, or lack thereof, as the case happened to be for some sites.

The following is an edited transcript of what the kids, and their parents, had to say during a post-Sweep debrief before the smell of hot cheese and pepperoni wafted into the room and snatched their attention.

Did you have fun?

“Yeaaah!” (Kids shout in unison.)

Was anything hard or frustrating?

“It was hard to read privacy policies; they were really long and boring.”

Was it hard to sign up for some of the websites?

“If you are under 13, you are redirected to (the kid’s version of the website.)” Mom proceeded to explain that her son nonetheless managed to find a work-around.

What were some of the personal questions the website or app asked you?

“Where do you go to school? What’s your address?”

“It asked if you’re a student or a teacher.”

“It asked what gender you were.”

“Date of birth.”

“(On one website), if you typed in your real name, it wouldn’t take it or any short form of the name.”

“My photo.” (Mom added: “I wouldn’t let him. I shut it down real fast.”)

“It asked for what grade you were in.”

“(One website) asked for your picture but we just used a picture of a penguin that was already saved on the computer.” (Mom added: “But then it encouraged you to use a real picture.”)

Boy at computer.Did you always understand what the website or app was asking for?

“When I was working on (one website), I thought there were games made by other people that you could play but it was just shopping. That’s where there was the long and boring parts.”

Did any websites or apps tell you to go get a parent to help you?

“Before you were able to get on (one website), they send an email to your parent.” Mom added: “And the parent had to confirm.”

“On one website there’s a privacy mode so if you’re under 13, you can’t change it. If you want to change your age, you have to ask a parent by email.”

Did you ever click on something that led you to a totally different website?

“I was on (one website) and there was this little thing on the top of the page that said ‘are you a boy or a girl.’ It didn’t really look like an ad but it was just like a little thing with a picture and so, of course, we clicked on it and it went to another game website and it showed you a trailer.” Mom added that it was “teen rated” and included a warning that the content contained “violence, blood, partial nudity and alcohol.”

If you had to sign up for an account, did the website or app make it easy to delete your account when you were done?

“I was on (one website) and there was an option to delete the account and it deleted right away.”

Did anybody have trouble?

“A little bit. You had to email the company to delete it.”

– – – – –

Days after the Kids Sweep we got some great feedback from one of our parental sweepers who quipped that her kids are now tattling on each other for failing to read privacy policies. She added:

“They had a really good time and learned a lot about thinking critically when it comes to their personal information. If the result is that they make one brighter choice about their own privacy, then it was 100 percent worth it to me.”

It was this very comment that inspired one of our post-Sweep follow-up activities. The OPC has drafted a classroom activity for Grade 7 and 8 teachers across Canada based on our 2015 Kids Sweep.

We’ve simplified the Sweep form used to assess the privacy communications of apps and websites and are encouraging teachers to conduct privacy sweeps with students using the forms as a way to kick off a discussion about online privacy and the protection of personal information.

Alone or in groups, we are encouraging students to “sweep” their favorite apps and websites, to learn how to read privacy policies, to learn about tracking, the different types of personal information that might be collected and to discuss their observations with their teacher and peers. We’ve also provided a take-home tip sheet dubbed Pro Tips for Kids: Protecting Your Privacy for students and their parents.
Mother and daughter at computer.

Note to teachers: you can find the classroom activity on our website. As for parents and guardians, if it’s not something your kids are learning in school, think about adapting the lesson plan as a rainy Sunday afternoon activity!

Intimate, controversial or embarrassing photos and comments can have a lasting impact on a person’s reputation. Today, digital literacy as is as important as learning your ABCs and kids who understand and implement safe online privacy practices are less likely to make the sort of mistakes that could haunt them in the future.

Click here for more on the results of this year’s Children’s Privacy Sweep.


29 Apr 2013

Grappling with the impact technology is having on privacy


This week is Privacy Awareness Week (PAW) – a global effort, coordinated by members of the Asia Pacific Privacy Authorities (APPA), to raise awareness about the value of privacy and the importance of protecting it.

For PAW 2013, APPA created an infographic that illustrates how technology has changed the way we communicate, do business and store information, and how this has introduced new privacy risks as a result.

It is an issue that many are thinking about. According to OPC’s recent survey, Canadians are increasingly anxious about their privacy in the face of new technology, and 70 per cent of them feel they have less protection of their personal information than they did 10 years ago. The research also indicates that Canadians avoid downloading apps or using certain websites and services due to privacy concerns.

What can we do?

It is true that consumers expect protections when they use products and services, but it is important to also realize that consumers have an important role to play and need to take an active approach when it comes to protecting their personal information. The best thing anyone can do, when using technology to collect or store personal information, is to understand the privacy risks that come with that technology. And here are some resources to help with that task:

Mobile App: We use our mobile devices to store a goldmine of personal information. To learn more about how to protect the personal information on your mobile device, download the OPC’s free myPRIVACYapp.

Video: Privacy and Social Networks: Do you know what happens to your personal information once you post it on to social networking sites? Watch this video that OPC created to understand how social networking sites make money off of your personal information. It may cause you to ask yourself some tough questions the next time you update your information online.

Infographic: 10 tips for preventing identity theft: Anyone who has personal information is at risk of identity theft, and the risks are higher now that we use technology for so many purposes. And while it’s impossible to entirely eliminate the risk of becoming a victim, it is possible to reduce it. The OPC’s infographic details 10 things you can do to prevent yourself from becoming a target.

Introduction to Cloud Computing: When you store your photos online instead of on your home computer, or use webmail or a social networking site, you are using a “cloud computing” service. The OPC’s fact sheet explains the privacy implications of this.

For more information on the privacy risks that come with technology, and on how to protect yourself, visit the OPC’s page of fact sheets covering a range of issues and topics.


18 Apr 2012

OPC Hosts First Pathways to Privacy Research Symposium


The Office of the Privacy Commissioner of Canada (OPC) will be hosting its first annual Pathways to Privacy Research Symposium on May 2, 2012, in Ottawa!

The theme for this year’s event is Privacy for Everyone, and we will be discussing the results of research on emerging privacy issues among communities of interest. This year’s event was organized with the assistance of Industry Canada and the Social Sciences and Humanities Research Council of Canada (SSHRC).

Discussions will explore topics such as the changing landscape for youth, reaching diverse populations, cultural perspectives on privacy and frontiers of identification and surveillance among different populations.

This Symposium is a great opportunity to discover privacy-related research funded by the OPC’s Contributions Program and other funders, and will serve as a forum to bring together the people who do the research and those who apply it. Ultimately, we want to enable more people to use and benefit from the excellent privacy research that is being done across Canada. This event is also sure to be a great opportunity to share knowledge, grow partnerships and expand networking among researchers.

A detailed program for the event is available on our web site. If you are interested in participating, please contact Melissa Goncalves at melissa.goncalves@priv.gc.ca or 613-947-7097. Please note that limited audience seating will be available.


9 Sep 2011

OPC Unveils New Youth Privacy Tool


The Office of the Privacy Commissioner of Canada is launching a new youth privacy tool that will help teachers and community leaders talk with younger Canadians about their privacy online.

The tool launched today is called Protecting Your Online Rep and comes right in time for back-to-school. It offers people who work with youth all the information necessary to provide an engaging and effective presentation in their own school or community.

The package includes a PowerPoint presentation with detailed speaking notes for each slide, along with class discussion topics, for Grades 9 to 12 (Secondary III to V in Quebec). Educators and others interested in delivering the presentation can find the package here.

The goal of the new tool is to teach young people that technology can affect their privacy, and to show them how to build a secure online identity and keep their personal information safe.

Link to news release


8 Aug 2011

Insights on Privacy – Youth Privacy


Do youth care about privacy? We will explore this question on September 8, 2011, when our Office holds its next Insights on Privacy armchair discussion.  We have invited two experts on young people’s use of social media, Kate Raynes-Goldie (@oceanpark) and Matthew Johnson (@MFJ72) to talk about what privacy means to youth and how we can help youth preserve their privacy by promoting digital literacy skills.

Kate Raynes-Goldie is completing her PhD in the Department of Internet Studies at Curtin University of Technology. Her current research explores Facebook privacy issues by combining a study of the ideologies that drive the site’s privacy architecture with a nuanced look at user understandings and practices. Kate is also a Research Associate at Ryerson University’s EDGE Lab, where she is researching privacy, autonomy and social media for children.  She is the founder of PrivacyCampTO, Canada’s first privacy unconference. 

As Director of Education with Media Awareness Network, Matthew Johnson creates resources for educators, parents and community groups. He is the designer of MNet’s comprehensive digital literacy tutorials Passport to the Internet (Grades 4-8) and MyWorld (Grades 9-12). Matthew also writes the Talk Media blog, one of the most popular sections of the MNet Web site.  He has given presentations and interviews to parents, school, community and industry groups on topics such as the effect of media violence on children, video game addiction, alcohol advertising, children’s use of new media and the moral dimensions of computer games.

This event is the fifth in a series hosted by the OPC to shed light on experts doing new and thought-provoking work in the field of privacy.

To participate:

We are inviting full participation in this discussion. For those of you who attend the session in person, we will be asking for questions from the audience as well as inviting you to tweet the content using the #privtalks hashtag.

If you are unable to attend the session in person, and would like the speakers to address a particular aspect of this topic, please send your question to knowledge.savoir@priv.gc.ca by September 2nd and we will try to incorporate it in the issues we cover.

The video of this event will be made available after the presentation, as we’ve done for previous Speakers Series events.

Space is limited and is available on a first-come, first-served basis. Please RSVP before September 6th, 2011. Simultaneous interpretation for both official languages will be available.

When: 2:00-4:00 p.m. Thursday, September 8, 2011
Where: Minto Suites Hotel, 185 Lyon Street North, 2nd Floor, Salon Vanier/Stanley

RSVP: knowledge.savoir@priv.gc.ca


20 Jul 2011

Young Canadians in a Wired World – Phase III is Here!


The Media Awareness Network, benefactor of the Office of the Privacy Commissioner’s Contributions Program, has launched the third Phase (Phase III) of its ongoing study, Young Canadians in a Wired World (YCWW). This third phase is a crucial element to the project, as it will shed a more distinct light on the need for online education resources in classrooms and communities.

The study is the most comprehensive and wide-ranging study of youth internet use in Canada. The project tracks and investigates the behaviours, attitudes, and opinions of Canadian children and youth with respect to their use of the Internet. There have been two previous phases over seven years. The first comprised of telephone interviews with parents, focus groups with parents and children and quantitative research findings from a national school-based survey of 5,682 students in grades 4 – 11. The second stage includes qualitative research findings from focus groups with parents and young people aged 11 – 17, and quantitative research findings from a national school-based survey of 5,272 students from grades 4 – 11. You can find more information on these first two phases here.

MNet’s research has gathered a wealth of information about the online activities of Canadian youth, and has raised a number of privacy issues that require society’s attention. Perhaps most importantly, the research has highlighted the importance of education as a key response in helping young people make smart and informed online decisions, as well as stay safe online.

The third phase in MNet’s research will help inform public policy and support the development of relevant digital literacy resources for Canadian homes, schools, and communities. MNet has already begun implementing the new research through various interviews and focus groups. Phase III of the research project is scheduled to be completed in 2012, finishing with a nation-wide field study of a representative sample of Canadian students and teachers.

Stay tuned for more updates about this exciting endeavour.

For more information, please contact Francois Cadieux at Francois.Cadieux@priv.gc.ca.


29 Mar 2011

Insights on Privacy – Adam Greenfield and Aza Raskin


On April 20th, 2011, our Office is holding the third Insights on Privacy armchair discussion. We heard in February about what motivates us to reveal or conceal details of our personal lives, and how we protect the private lives of others around us.

To complement this talk, we’ve invited tech innovators Adam Greenfield (@agpublic) and Aza Raskin (@azaaza) to explore opportunities for privacy in the design of intimate devices, like smart phones, that we share our lives with every day, to the sensor-rich landscape that’s upon us. We’ll discuss opportunities for companies to empower individuals with greater choice and control over how their data are used and for greater collaboration within and across industry sectors.

In his 2006 book Everyware, Adam Greenfield argued that we were headed for a world in which keeping the boundaries between different roles in our lives was going to prove untenable. That notion is coming to pass with the current debate over the public/private divide and the blurring of our various roles and reputations online. Adam was Nokia‘s head of design direction for user interface and services from 2008 to 2010 and Lead Information Architect at Razorfish Tokyo. His current projects through Urbanscale focus on improving how users experience technology, such as stored-value cards for public transit and many other “smart-city” initiatives.

Aza Raskin’s passion for improving the way we experience technology recently had him heading up user experience for Mozilla, developer of the popular Firefox browser, where he rethought and simplified conventional approaches to privacy policies. Raskin left Mozilla in late 2010 to launch the start-up Massive Health, with the goal of helping people improve control of their health through innovatively designed technology and the ways we interact with it.

The video of this event will be made available after the event, as we did for the December 10, 2010 event with Jesse Hirsh and Chris Soghoian and for the February 28, 2011 event with Christena Nippert-Eng and Alessandro Acquisti.

Space is limited and is available on a first-come, first-served basis. Please RSVP before April 15, 2011. Simultaneous interpretation for both official languages will be available.

When: 2:00-4:00 p.m. Wednesday, April 20, 2011
Where: Minto Suites Hotel, 185 Lyon Street North, 2nd Floor, Salon Vanier/Stanley

RSVP: knowledge.savoir@priv.gc.ca


16 Feb 2011

Online profile linking using usernames


There have been recent reports about security vulnerabilities arising from the reuse of passwords on different web sites. What about the reuse of usernames? Can identities established on multiple web sites be linked together based on the usernames, and what are the implications for privacy?

A recent research paper from INRIA in France described an experiment that looked at over 10 million usernames from popular services such as Google and eBay. In some of the tests, Google profiles that listed multiple accounts on different web services were used to establish “ground truth” about linked usernames.

The first finding was that the usernames chosen by people on the various websites tend to be very unique, with a probability of duplication being approximately one in one billion. This was true for a variety of web services, including a corporate network, Finnish web forums, and MySpace.

Second, the researchers found that when people used different usernames for different services, many of the usernames were constructed by making very small changes to existing usernames (e.g., sarah, sarah2).

Third, the study demonstrated that more than 50% of the usernames created for different services could be linked to one another because the username was identical, or very similar, and unique from other usernames.

The results are important for privacy protection. Although you may limit the amount of personal information you reveal when using a particular service, if your profile can be linked to other services than a detailed personal profile can be constructed from the various bits of partial information. This could lead to embarrassment if a supposedly anonymous profile is linked to a real-world identity. Spammers and fraudsters could also gather information from multiple services to target their messages or launch phishing and social engineering attacks.

In a demonstration of the risks involved, a quick examination of people using anonymous file sharing services (private BitTorrent trackers) found that 13 out of the 20 usernames examined could be linked to other web services (e.g., YouTube, eBay) and 4 usernames could be linked to real-world identities.

The lesson is similar to the warning about passwords – make sure that you choose a truly unique username (and password) for each service that you do not want linked together.