Tanya L. Forsheit, Esq., CIPP writes about the EU Data Protection Directive and Cloud Computing:
The most notable thing about the EU Directive and member state laws for purposes of cloud computing is this -- in the absence of specific compliance mechanisms, the EU prohibits (yes, you read correctly, prohibits) the transfer of personal information of EU residents out of the EU to the US and the vast majority of countries around the world.
What does this mean for cloud computing? If you want to put data in the cloud that includes personal information of EU residents (and that might be something as simple as an email address or employment information), and the data will flow from the EU to almost anywhere in the world, you cannot simple throw the data in the cloud and hope for the best. You need to have, at a minimum, one or more of the following:
- International Safe Harbor† Certification (which allows data transfer from the EU to the US, but not from the EU to other countries);
- model contracts (which allow data transfer from the EU to non-US countries, but do not always work well with multi-tiered vendor relationships); or
- Binding Corporate Rules (which are designed for a multinational company and therefore may not function well for cloud provider relationships).
Read more .. ..
† Safe Harbor Act also known as the European Union Data Protection Directive
- The act prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection.
- US based companies should try to obtain Safe Harbor Certifications
- Slightly higher standard than California Privacy Laws. Somewhere between EU and US
- Requires you to do the work up-front. 6 months - 1 year of work required. Annual re-certification required
- Attaining Safe Harbor certification elevates reputation of the company
North Carolina State University web accessibility group has put together a nice accessible modal window for use in webapps.
Check it out in action at:
source available at:
Modal windows are not good for accessibility. Unfortunately, lot of content is being pushed into modal windows these days. For example, Jira’s Issue Tracker brings up the new issue input form as a modal window. And some social graph enabled apps display the followers/followees in a modal window. I am pretty sure this is not what the modal windows were intended for. And probably is not good for accessibility.
If you have some examples of bad modal window usage, please share them in comments. Thanks! :)
Nice cheat sheets for creating accessible documents:
For finding web accessibility issues use WAVE:
I ran the WAVE accessibility checker on my website
, and found few issues, which I fixed promptly :)
A federal appeals court says employees are not liable for damages under anti-hacking laws for accessing their employers’ computers for disloyal purposes.
The 9th U.S. Circuit Court of Appeals ruled that workers authorized to access company computers do not lose or exceed that access under the Computer Fraud and Abuse Act (CFAA) even if their intent was to acquire data to open a competing business (.pdf). CFAA is the "root" law that criminalizes an attack on any computer connected to the internet.
There is no language in the 1984 anti-hacking statute, the San Francisco-based appeals court said Wednesday, supporting the “argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interests.”
Following are some of the notes I took from the lecture.
Socio-technical systems: It is not just the technology that causes privacy issues. It is the technology embedded in the social system. e.g. RFID implanted into humans or RFID enabled passports.
Three classifications of socio-technical system:
- Tracking and monitoring systems e.g. Web browser cookies.
- Systems that aggregate and analyze - Choicepoint, Amazon's personalized recommendation system.
- Systems that broadcast, disperse, distribute, propagate, publicize and disseminate information. - e.g. making court records, which are public, available online. In this case the web is technical system that disseminate the court records.
Controversial vs non-controversial socio-technical systems. Medical devices in use at hospitals are non-controversial and maybe beneficial. However, using information electronic toll collection on freeways to track someone's movement is controversial.
Traditional approaches to privacy:
- Private / Public duality (dichotomy). This is an oversimplified approach. It may be argued that what is public maybe disseminated by any medium. e.g. Google's street view, license plate recognition is not a privacy breach as both streets and license plates are public in nature. Private / Public dichotomy maybe good in political philosophy, but it is problematic in privacy realm.
- The measure of respect for privacy is the control of information by the subject. i.e. the subject has control over what gets revealed and what does not.
- Lobbying for what is constitutes as a privacy breach and what doesn't. Especially problematic if the privacy is considered a preference rather then a moral right.
- Privacy vs. other values (e.g. security).
These approaches are limited and do not work.
Dr. Nissenbaum's proposed approach: Contextual Integrity. Based on privacy as a human/moral right.
Contextual Integrity is a measure of how closely the flow of personal information conforms to context relative information norms. Contextual integrity is breached when these norms are violated and is respected when these norms are enforced.
Context relative information flow norms: In a context the flow of information (particular attribute) about a subject from a sender to a recipient is governed by a particular transmission principle. Context (circumstance), attributes (information about the subject), actors (subject (information owner), sender and receiver) and transmission principles are the key parameters. All these parameters must be taken into account when performing a analysis of the information flow. Google street map argument fails because it only takes one principle i.e. attributes (streets are public) into account and ignores the other key principle i.e. the context (distributing it over the web and making it widely available).
Fiduciary transmission principle: You trust someone with private information about yourself under the assumption that your private information will be used to benefit you and not harm you.
Privacy is not secrecy but rather appropriate flow of information.
What is privacy?
- "Privacy is the right to control information about and access to oneself." – Regan, P. M. (1995). Legislating Privacy: Technology, Social Values, and Public Policy. University of North Carolina Press.
- "Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves." – Fried, C. (1984). Privacy (a moral analysis). In F. D. Schoeman, Philosophical Dimensions of Privacy (pp. 203-222). Cambridge University Press
- "Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. .....privacy is the voluntary and temporary withdrawal of a person from the general society through physical or psychological means, either in a state of solitude or small-group intimacy or, when among larger groups, in a condition of anonymity or reserve." – Alan F. Westin, Privacy and Freedom (New York, NY: Atheneum, 1967).
- “A loss of privacy occurs as others obtain information about an individual, pay attention to him, or gain access to him. These three elements of secrecy, anonymity, and solitude are distinct and independent, but interrelated, and the complex concept of privacy is richer than any definition centered around only one of them.” – Gavison, R. (1984). Privacy and the Limits of Law. In F. D. Schoeman, Philosophical Dimensions of Privacy (pp. 346-404). Cambridge University Press.
- "Privacy is a limitation of others’ access to an individual through information, attention, or physical proximity." – Ruth Gavison
- Common Law Right to Privacy (as defined by Samuel Warren and Louis Brandeis, 1890): An individual’s right of determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be communicated to others.
Lew Tucker (CTO, Sun Microsystems): Cloud computing is not so much a definition of a single term as a trend in service delivery. It's the movement of application services onto the Internet and the increased use of the Internet to access a variety of services traditionally originating from within a company's data center.
Werner Vogels (CTO, Amazon): If you run your services inside the company, privately, utilization becomes an issue. It amortizes your costs over a number of cycles. If you run services outside, on a public service, it is no longer an issue for you.
Greg Olsen (CTO, Coghead): Cloud computing presents a compelling opportunity for consumers of information technology and producers of information services.
Read more .. ..
Speeches from the Enterprise 2.0 Conference in SF are available on [E2 TV]. I posted some interesting tweets from the conference attendees earlier, here are some more:
- When people talk about “breaking down” silos they add fuel to the fire that E20 is a crock. Silos collaborate they don't break down. (@mikojava)
- Change agents have always existed, 2.0 tech brings agents together (@nitinbadjatia)
- Knowledge Management used to be a dusty destination, ent 2.0 allows it to be dynamic and responsive to individual requests (@paulmirvine)
- @CarolineDangson: E2.0 should perhaps be considered more like digital dna, the knowledge backbone of an organization (@paulmirvine)
- Start behind the firewall, open to all employees, educate rather than prohibit, trust is returned (@dcoleman100)
- Clara Shih: people are using FB and Twitter so their friends can serve as social filters for content. (@cjnash)
- @nenshad: “Marketing creates the brand, Support keeps the brand alive.” (@JuliaMak)
- Luxury hotel implemented Six Sigma and eliminated it because it didn’t allow them to overdeliver on Customer Service (@uwehook)
- E2.0 culture change: “Imagine if a store with low sales accused their customers of “resistance”!” (@timoelliott)
- Adoption is not a matter of resistance. If your store that wasn’t being trafficked, would you blame resistance?(@marciamarcia)
- “When you grow up on the internet, client-server looks like green screen today.” (@nenshad)
- Nike talks about “lessons shared”, rather than “lessons learned”. (@lehaweslive)
- @rotkapchen: Why do so many people use the term “enterprise-wide” then? Why not “enterprise-deep”? (@richardveryard)
- @rotkapchen: The first sign that someone has absolutely no clue about E2.0…when they keep referring to “users”. (@ekolsky)
- @marciamarcia: If culture eats strategy for breakfast, how do you feed culture? (@ajeanne)
- Innovation occurs at the intersection of contextually disparate concepts brought together creatively and with an open mind(@paulguyandersen)
Clay Shirky once made the following observation:
"Every time social software improves, it is followed by changes in the way groups work and socialize. One consistently surprising aspect of social software is that it is impossible to predict in advance all of the social dynamics it will create.”
If your organization currently uses Lotus Connections, and you have stumbled upon some new (unexpected) social dynamics with the use of the software, please share them here.
The following three-part presentation explores why merely implementing a wiki style knowledge management system, such as Sharepoint or Confluence does not work for an enterprise, and why social software, like Lotus Connections are required to create a collaborative culture in an enterprise.
People at the Center
Vendor lock-in is an issue with any data storage system - in the cloud or hosted in-house. We need to look into and investigate the tools that the vendor provides to extract the data out of the system.
From what I seen (and experimented with), Google provides excellent set of APIs to access the data stored in Google's Cloud. And Google is always working on to improve the APIs. Google usually first adds functions to the API, and then introduces them in the UI. Compare this to other software vendors, who usually introduce the new functions in the UI and then at a later time provide API access to those functions - if it all.
I currently use both Google Docs and Windows Live Workspace to store my personal / school related stuff. I use both of these because they both have their benefits. Windows Live Workspace provides complete integration with Office 2007, whereas Google Docs provide editing capabilities in a Web browser. Recently I have been thinking of writing an application that will synchronize the content of both of these repositories. Google provides APIs that make this task easy from Google's side, but there are no Windows Live Workspace APIs, so I have to devise a workaround to get documents into the Windows Live Workspace.
No amount of precautions can avoid problems that we do not yet foresee. We need to find solutions to the problems, not just avoid them. An ounce of prevention equals a pound of cure, but that's only if we know what to "prevent". We should be looking into ways to reduce the security and privacy risks associated with Cloud Computing and improve data-portability- efficiently and cheaply.
With problems that we are not aware of yet, the ability to put right - not the sheer good luck of avoiding indefinitely - is our only hope, not just of solving problems, but of making progress. - Physicist David Deutsch
Oh btw, also check out Data Liberation Front
An excellent advice from Anthony Bradley of Gartner on Piloting Social Media:
“The most successful implementations I’ve seen don’t “pilot,” they execute on a planned increment. When you go to the community with a social media solution, go for real. So how do you mitigate risk? Mitigate risk with a carefully scoped purpose. Minimize the initial business purpose pursued but pursue that purpose with all the execution discipline it requires.”