Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
For too long in the U.S., Congress has attempted to legislate the Internet in favor of big corporations and heavy-handed law enforcement at the expense of its users’ basic Constitutional rights. The Electronic Frontier Foundation writes that Netizens’ strong desire to keep the Internet open and free has been brushed aside as naïve and inconsequential, in favor of lobbyists and special interest groups. Well, no longer.
The EFF and a broad coalition of civil society groups called on elected officials to sign the new Declaration of Internet Freedom and uphold basic rights in the digital world. The Declaration is simple; it offers five core principles that should guide any policy relating to the Internet: stand up for online free expression, openness, access, innovation, and privacy. Sign it here.
| American Civil Liberties Union | Cheezburger, Inc. | Free Press | |
| Amnesty International | Center for Democracy & Technology | MacUser magazine | Techdirt |
| Boxee | Electronic Frontier Foundation | Mozilla | Tucows |
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Phil Neray of Q1 Labs, an IBM (IBM) company posted that in the recent Chinese hack of the U.S. Chamber of Commerce’s network. One attack vector was a thermostat. The thermostat at a Chamber townhouse on Capitol Hill was communicating with an Internet address in China. At the same time, a printer spontaneously started printing pages with Chinese characters (rb- I wrote about securing printers here).
The blog says that the hackers were in the network for more than a year before being detected is not unusual. He cites the 2011 Data Breach Investigations Report, more than 60% of breaches remain undiscovered for months or longer (versus days or weeks).
rb-
This is one of the risks of the Internet of Things. Security is in the era of IoT will have to use machines to monitor the machines.
Spencer Ackerman at Wired points out that more personal and household devices are connecting to the internet. They are no part of the Internet of Things. \U.S.CIA Director General David Petraeus cannot wait to use your appliances to spy on you through them.
General Petraeus recently spoke about the “Internet of Things” at a summit for In-Q-Tel, the CIA’s venture capital firm. “‘Transformational’ is an overused word, but I do believe it properly applies to these technologies particularly to their effect on clandestine tradecraft” the blog recounts.
Mr. Ackerman predicts that people will be sending tagged, geolocated data that a spy agency can intercept in real-time. This will happen when they open their Sears (SHLD) Craftsman garage door with an app on an Apple (AAPL) iPhone. “Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing.” Petraeus said, “the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.”
Wired says the CIA has a lot of legal restrictions against spying on American citizens. But collecting ambient geolocation data from devices is a grayer area. This espcially ture especially after the 2008 carve-outs to the Foreign Intelligence Surveillance Act. Hardware manufacturers, it turns out, store a trove of geolocation data; and some legislators have grown alarmed at how easy it is for the government to track you through your Apple iPhone or Sony (SNE) PlayStation.
rb-
The implications of the “Internet of Things” are profound when linked to the transformational nature of the connected home network. The CIA sees great opportunities in wired home devices. Any home gadget with RFID, sensor networks, embedded servers, or energy harvesters is ripe for interception by spy agencies.
at CeBIT 2012 in Hannover Koubachi, the Swiss start-up company behind the popular iPhone plant care assistant presented its newest innovation. It is called the Koubachi Wi-Fi Plant Sensor according to ITnewsLink. Building on the success of its popular interactive plant care assistant, the sensor integrates into the Koubachi system to literally gives your plant a voice.
The Wi-Fi Plant Sensor measures soil moisture, light intensity, and temperature. Using Wi-Fi, the data is sent to the Koubachi cloud. There it is analyzed by the Koubachi Plant Care Engine. The plant owner gets detailed care instructions on watering, fertilizing, misting, temperature and light through push notifications or email. “The Koubachi Wi-Fi Plant Sensor is the first device ever that enables real-time monitoring of the plant’s vitality,” says Philipp Bolliger, CEO of Koubachi. “It’s a truly unique product in the field of “Internet of Things” and bringing state-of-the-art technology to plant care.”
Manufacturers are “future-proofing” their appliances with “Internet of Things” capabilities that are latent for now. Christopher Mims at MIT’s Technology Review asserts that major appliances bought in the last three years probably contain a Zigbee capable wireless radio. The radio can send out information about a device’s status and energy use and receive commands that alter its behavior.
Many appliance makers don’t announce these capabilities. Mr. Mims interviewed Mike Beyerle, an engineer at GE (GE) about GE‘s Nucleus home energy management system. “We want to build up a base before we make a big deal out of it,” says Mr. Beyerle.
The author says that manufacturers aren’t telling consumers what their devices are capable of. They are reluctant to do so in part because the abilities are useless without an energy management hub like GE’s Nucleus or a utility company‘s smart meter. In both cases, smart appliances must be “bound” to a hub to communicate with the outside world.
Once a device is hooked up to an energy management system and becomes part of the IoT, it gets interesting. Mr. Mims says that users who signed up for a “demand response” program with their utility to get a lower bill, enable the utility to control their appliances. For example, a refrigerator’s icemaker’s defrost cycle or the elements in a clothes dryer can be manipulated to drive down power use during times of peak demand.
rb-
Most people do not realize that installing a new smart meter can activate a technological sleeper cell in their HDTV, kitchen, or laundry room. All of these “smart” devices will be part of the “Internet of Things.” They will have an IP address (probably an IPv6 address) and will be broadcast via a Zigbee wireless network. This is why the CIA says it can spy on people through their dishwasher.
Engadget says the Samsung RF3289 fridge is designed to let users access Pandora or tweet while grabbing a snack. Samsung touts it as the first to feature integrated WiFi. The Wi-Fi also offers the ability to view Google calendars, check the weather, download recipes from Epicurious, or leave digital notes
Engadet also reports LG’s Thinq line of connected appliances includes vacuum, oven, refrigerator, and washer/dryer. They support Wi-Fi and ZigBee to communicate with each other, the smart meter, smartphones, and tablets. That’s a pretty strong foundation to build the Internet of Things especially if the home is already equipped with ZigBee devices. CNET says the line can be troubleshot remotely; tech support can log in to the device see what’s wrong and fix it. Kenmore has a similar product line.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Corporate America’s assault on the middle class continues. Despite the jobless epidemic, U.S. companies are tripping over themselves to fill high-paying job openings with workers from overseas. The BusinessInsider reports that tech titans led by Microsoft (MSFT) and IBM (IBM), have already maxed out their allotment of 65,000 1H-1B employees.
The article says that U.S. companies have set a three-year record in how quickly they reached the cap for H-1B workers. The applications process for 2012 opened on April 1 and on November 23, the U.S. Citizen and Immigration Services department announced that the cap had been reached.
But there are more than 65,000 jobs at stake. The USCIS also received “more than 20,000 H-1B petitions filed for persons exempt from the cap under the ‘advanced degree’ exemption,” it said. In addition, petitions for workers who already have their visas are not counted toward the cap.
The H-1B visa is a temporary work visa for those classified as “skilled workers” such as IT staff, engineers, doctors, and scientists, and the pay is good. For instance, the average salary for a worker th
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
The National Law Journal is reporting that three recent court decisions make it important for companies to begin a thorough review of their computer policies. The National Law Journal suggests firms focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the scope of the employee’s permissible access to the company computers. The article by Nick Akerman, a partner in the New York office of Dorsey & Whitney who specializes in trade secrets and computer data discusses three recent decisions and their implications for creating effective corporate computer policies that protect the company against the theft of its data.
Mr. Ackerman says two recent decisions, Quon v. Arch Wireless Operating Co. Inc. and Stengart v. Loving Care Agency Inc., affect a company’s ability to gather evidence from its own computers. The article states both cases found company computer policies insufficient to defeat the employee’s expectation of privacy in using the company computers for personal reasons. Whether an employee has an expectation of privacy on the company computers can become a critical issue when an employee is suspected to have stolen corporate data.
In Quon, (which I wrote about here) the 9th U.S. Circuit Court of Appeals held that a review of text messages on pagers provided to municipal police officers violated the Fourth Amendment as an unreasonable search. The article explains that although the city had no express policy “directed to text messaging by use of the pagers,” it did have a general “Computer Usage, Internet and E-mail Policy” applicable to all employees that limited the “use of City-owned computers and all associated equipment, software, programs, networks, Internet, e-mail and other systems operating on these computer” to city business. This policy was acknowledged in writing by each city employee, and it was announced orally that this policy applied to pagers according to the National Law Journal.
The article goes on to state that the 9th Circuit affirmed the district court’s finding that Quon had a reasonable expectation of privacy with respect to the text messages because the policy did not reflect the “operational reality” at the police department where the staff was told that the department “would not audit their pagers so long as they agreed to pay for any overages” that exceeded a “25,000 character limit.” Consistent with that informal policy, Quon had exceeded that limit “‘three or four times and had paid for the overages every time without anyone reviewing the text of the messages,” demonstrating that the police department “followed its ‘informal policy’ and that Quon reasonably relied on it” the author states.
In Stengart, Mr. Ackerman argues the issue of the computer policies arose in the context of the attorney-client privilege. Marina Stengart used her employer’s laptop computer to communicate with her attorney about an anticipated lawsuit against her employer “through her personal, web-based, password-protected Yahoo email account.” After Stengart filed a discrimination suit, her then-ex-employer found many e-mails on the company computer between Stengart and her attorney. The employer’s computer policy was nearly identical to the policy addressed in Quon with one significant exception. Unlike the written policy in Quon, which limited the use of the computers to the employer’s business, the policy in Stengart provided that “[o]ccasional personal use is permitted.”
The court found two specific “ambiguities” with the computer policy that “cast doubt over the legitimacy of the company’s attempt to seize and retain personal e-mails sent through the company’s computer via the employee’s personal email account.” First, the “policy neither defines nor suggests what is meant by ‘the company’s media systems and services,’ nor do those words alone convey a clear and unambiguous understanding about their scope.” Second, the court found that one could reasonably conclude “that not all personal emails are necessarily company property because the policy expressly recognizes that occasional personal use is permitted.” Given these ambiguities, Stengart could have assumed her e-mails with her attorney would be confidential.
The National Law Journal article says the third decision relates to a company’s ability to use evidence found on its own computers to bring a viable court action against the disloyal employee under the federal Computer Fraud and Abuse Act to retrieve the stolen data and prevent its dissemination in the marketplace. The CFAA, provides a civil remedy for a company that “suffers damage or loss” by reason of a violation of the CFAA. A critical element in proving most CFAA claims is that the violator accessed the computer “without authorization” or “exceeding authorized access.”
The last case, LVRC Holdings LLC v. Brekka, Mr. Ackerman argues has made it more important than ever for corporate computer policies to address what is not permissible access to the company computer system. He reports that Brekka puts into question the concept that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer such that when an employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company computers terminates. Brekka refused to apply the CFAA to a theft of employer data, holding that employees cannot act “without authorization” because their employer gave them “permission to use” the company computer.
Although this division in the circuit courts will ultimately have to be resolved by the U.S. Supreme Court, the article says that from an employer’s standpoint it is important to emphasize that the agency relationship with the employee is not the only way to prove that an employee’s access to the company computer was unauthorized or exceeded authorization. Employers can proactively establish the predicate for unauthorized access by promulgating the rules of access through company policies. The “CFAA … is primarily a statute imposing limits on access and enhancing control by information providers.. Thus, a company “can easily spell out explicitly what is forbidden” through several methods including an employee handbook explains the National Law Journal article.
Mr. Ackerman concludes by suggesting that in designing corporate computer policies and employee agreements, it is important not to lose sight of the well-established operating principle that company computers are company property, and, as such, the company can “attach whatever conditions to their use it wanted to,” even if these conditions are not “reasonable.” Nonetheless, he suggests in light of Quon, Stengart and Brekka, a company should check its computer policies to make sure that they do the following:
• Clearly define the computer systems covered by the policy; expressly encompass whatever technology is used, such as text messaging or instant messaging; and address not only the servers but removable media such as thumb drives and disks.
• Make clear that all data created in furtherance of any personal use belongs to the company — including use of the company systems to access personal web-based e-mail accounts — and may be monitored by the company and will not be confidential.
• Reflect operational reality and are audited at least annually to ensure they reflect operational reality.
• Spell out precisely the scope of an employee’s permissible authorization to the company computers, particularly what they are not permitted to do, e.g., access the company computers to retrieve company data for a competitor.
The time to get this right is now before the company finds itself the victim of data theft.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
