Privacy & Security Conference

Spent last week at the 17th annual Privacy and Security Conference in Victoria. The event is put on by the BC provincial Office of the CIO & Ministry of Finance. What follows are some notes from the sessions I took in.

Overall, the conference was better than I expected, although I found the huge number of vendor and vendor presentations disconcerting. The vast majority of attendees at this conference are primarily from government ministries and departments. As a bit of an outsider, I was troubled by the amount of prime time given to the likes of Oracle, IBM and Microsoft to pitch directly to those in government who make the decisions around IT, privacy and security. There were many problems raised that – surprise – there were solutions to. I’m not naive to believe that there isn’t a cozy relationship between government and big tech business, but seeing so much of the conference as a sales pitch to government raised the ick factor for me moreso than the usual conference vendor presence. I hope that, at the very least, BC taxpayers made a chunk of sponsorship cash from the conference.

That said, there were some good sessions. My interest was more on the privacy side over the security, so I passed on a lot of the security bits and stuck with mostly privacy sessions.

The first day was dedicated to pre-conference half-day workshops, and the two I attended (Privacy & Ethics, and Privacy Governance) were perfect primers for me coming into a new role that will have privacy and FIPPA as an integral component of the work I’ll be doing.

Privacy is a fairly new societal concept. It wasn’t until the 1890’s that this idea of personal privacy as a right began to appear in legal journals, driven by new information technologies of the day (the party line telephone and postcards). Interesting to see how technology remains the primary driver behind privacy discussions today.

Privacy is contextual was a reoccurring message throughout many of the governance and legal sessions I attended. Meaning that, while there is both constitutional and common law around privacy, there is still room for interpretation.

The legislation in BC is driven by some key principles of privacy governance – that the right information is gathered and used by the right person at the right time for the right purpose and in the right way. Practically speaking this means taking measures to ensure that you (as someone collecting personal information) only collect what you need for the purpose you need to collect it for, and only use that data for the purpose you collected it for.

Keynote: Richard Thieme

Richard Thieme did a good keynote on day one, although the title of his talk The Porous Borders of the Modern Imagination: Privacy, Trauma and Mass Media led me to believe there would be some critical analysis of the role of the mass media in shaping the narrative of security, privacy and state surveillance. It never materialized. But the keynote was enjoyable as Thieme provided some historical context around privacy that helped frame the themes of the rest of the conference for me. He also reminded me of how powerfully right McLuhan was when he said (to paraphrase), “we look to the future through a rearview lens”, and how that lens is both comforting and problematic.

ISO 27018

Chantal Bernier (former Privacy Commissioner of Canada) introduced me to the international code of practice for personally identifiable information in public clouds, also known as ISO 27018 standard. It’s a fairly new standard from ISO, but I can imagine we’ll begin to see this certification being stamped on all manners of services from IT companies offering cloud services. I wonder if this standard may be under consideration by the BC government as they review the current FIPPA legislation?

The TPP and BC’s FIPPA

BC Privacy Commissioner Elizabeth Denham did touch on the current FIPPA review (which a number of educators and educational technology groups have contributed briefs to). The big point in Denham’s talk that jumped out at me was that she believes that the BC privacy laws around local storage of data will hold a trade challenge should the TPP and its clause on allowing the free flow of data across borders be ratified in Canada.

Sketchnoting my way thru the conference

I tried something different this conference. Rather than firing up my laptop and taking part in the backchannel (which, whenever I checked, was crickets considering there were something like 700 people at the conference), I decided to work on sketching some notes during the talks I attended. I have to say, I loved doing this. I found I paid closer attention to the speakers, and my brain had to work hard to try to organize concepts and thoughts on the fly. I can see the appeal and will definitely be using this again in the future.

2016-02-09 16.52.15

2016-02-09 16.53.01

Putting tools into the hands of faculty with CASA

I’ve been feeling really good about the direction my new role at BCcampus is going. I am in a stage of work where I am feeling creative and energized, scanning the horizon and researching new stuff.

One of the projects I’ve been thinking about (and writing about) is the work with Sandstorm and the BC OpenEd Tech group, and trying to align the work of that group (and specifically with Sandstorm) with a broader vision for my role at both BCcampus and within the system.

What is emerging is a vision that sees me facilitating getting new educational technology into the hands of many people to try, and help with the evaluation of that technology to see where/if it aligns with teaching and learning.  Which is why I am liking Sandstorm because it looks like one way to get new tools into the hands of educators to try.

Another tool that I’ve been looking into is an IMS Global tool called the Community App Sharing Architecture (CASA). CASA is conceptually similar to Sandstorm in that they both share the same end goal of making it easy to deploy applications. But it does differ from Sandstorm in a few ways.

First, it is designed to work primarily with an LMS and is focused on deploying LTI enabled apps within an LMS, as opposed to Sandstorm which focuses on stand-alone outside of the LMS applications. The idea is that you can have an app-like “store” within the LMS that can be deployed by the users that integrates with the LMS.

But it isn’t limited to the LMS. A CASA app store can be mobile focused as well, as this UCLA example is with a mix of apps and dashboards optimized for mobile devices. And there was also talk in a webinar I watched about sharing analytics (perhaps connected using Caliper), but that seems to be at a pretty conceptual level right now.

The CASA architecture is also interesting in that it enables the connecting of different institutional app stores to each other in a network of trust. Metadata about the apps can be shared between institutions. And this is interesting because what CASA can do is enable the sharing of reviews about the apps between trusted nodes of the network.

CASA
Screenshot from CASA webinar (link to archive of webinar is below)

This is an example of what a future CASA app review will look like. Faculty reviews of an app from one CASA enabled institution can flow through the network and be available to other members of the trusted network. This helps to aid in discoverability of new applications and can help instructors separate the wheat from the chaff. As the number of edu applications continue to explode (the EduAppCenter currently has over 220 LTI enabled apps in it’s store), both discoverability and peer reviews from trusted networks are important to help filter, as anyone who has developed a PLN can attest to. CASA has the potential to enable another technology filter by leveraging the reputations in a network of trust.

Right now, CASA is still a beta tool. But it does look like an interesting technology that could make the deployment of edu focused applications easier for end users, while giving them some guideposts as to how useful these tools might be.

PayPal no pal of mine

terroristPayPal has locked up money in my PayPal account for over a month, and they are not giving it back. All because I made the mistake of using the word “Syrian” in a PayPal transaction.

On December 15th my daughter came home and said that her class was raising money to support a Syrian refugee family resettling in Victoria. We sent the notice out to the people you usually hit up for these kind of kid classroom fundraising activities – our family, a few of who live out of town.

Last day of classes for school for Christmas break was December 18th, and my daughter needed to have all the money into the school by then. To expedite the process of getting their money to us quickly, I decided to set up a donation form on a private page on my blog and have family members send me the money & I would write a cheque to the school to make sure we met the deadline. On the form, I needed to have a description line for the PayPal transaction. I used the phrase “Maggie’s Syrian Fundraiser” (Maggie is my daughters name). Her aunt, 2 uncles, & grandfather made donations.

On Dec 17th I received the following notice from PayPal:

Dear Clint Lalonde,

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue regarding your account.

PayPal is committed to complying with and meeting its global regulatory obligations. One obligation is to ensure that our customers, merchants, and partners are also in compliance with applicable laws and regulations in their use of PayPal.

To ensure that activity and transactions comply with current regulations, PayPal is requesting that you provide the following information via email to ComplianceTransactions@paypal.com.

1. Purpose of payment ********* made to you on December 16, 2015 in the amount of $50.00 CAD, including a complete and detailed explanation of the goods or services you are providing. Please also explain the transaction message: “Maggie Syrian Fundraiser.”

2. Please specify the Syrian Fundraiser will provide aid to the country of Syria, or if it will benefit those living outside of the country of Syria.

Please go to our Resolution Center to provide this information. To find the Resolution Center, log in to your account and click the Resolution Center subtab. Click Resolve under the Action column and follow the instructions.

If we don’t hear from you by January 01, 2016, we will limit what you can do with your account until the issue is resolved.

We thank you for your prompt attention to this matter. We apologize for any inconvenience.

Yours Sincerely,
Samantha
PayPal

Ok. So, obviously using the word “Syrian” raised a red flag. On December 18th, I emailed them my explanation.

Hi there,

My 11 year old daughter is doing a fundraiser at her school to help with the local resettlement of Syrian refugees in our city, Victoria, British Columbia, Canada. Recently, our federal government committed to accepting and resettling 25,000 Syrian refugees, and there are local fundraising efforts to help support refugee families resettling here in Victoria.

When we began fundraising, a few of our family members asked if there was a way to donate online. I have been a long time PayPal user so I told people to send me a PayPal payment and I would send the money on to the school. I created a PayPal button and stuck it on my personal blog. As of this morning, you should see 4 transactions in my PayPal account from our family members related to my daughters school fundraiser. These are from *****, *****, ***** and *****.

Specifically, to answer you questions.

1) “Maggie Syrian Fundraiser.” Maggie is my daughters name. The school is collecting money to donate to the Victoria Immigrant and Refugee society to assist with the local resettlement of Syrian refugees here in Victoria.

2) The money does not go to Syria. It stays in Victoria BC and will be used by our local Victoria immigrant and Refugee centre to support the local resettlement of refugees from Syria in Victoria BC.

I hope this response helps to explain the transactions. There may be one or 2 more coming thru this weekend from another aunt and grandfather, but I don’t anticipate many more transactions.

Regards,Clint Lalonde

For good measure, I uploaded a copy of the letter to their dispute resolution center on the PayPal site, just to make sure that they had a copy on their files and that my response didn’t get buried in some spam folder at PayPal, like the notices from PayPal usually do :).

I figured the explanation would clear things up.

Ha!

PayPal denied 2 of the transactions and tagged 2 others with “pending review”.  My account was restricted, and when I went in to try to figure out what to do to unrestrict the account, I was given no options.

On December 26th, I called PayPal and asked them why there were still 2 pending transactions in my account, why was there a restriction on my account, and what did I need to do beyond what they asked me to do to get these issues both cleared (credit PayPal – you CAN actually speak to a live person). I was put on hold. When the rep came back he said, “well, you have done what has needed to be done. I can’t see why this restriction is still in place and these transactions are still pending.” The call ended with him saying the restrictions and payments would be lifted in 72 hours.

January 4th. Still no resolution. I get a call from MacLeans Magazine after a reporter there spied a tweet of mine expressing my frustration with PayPal. He tells me I am not alone, and that other fundraising projects related to Syria have been blocked or rejected by PayPal. He writes an article in MacLeans about the problems many of us are having with PayPal.

January 10th I send an email to Compliance.

There are still 2 payments in my PayPal account that have been marked as “Pending” since December 17, 2015.

Could you please advise me of whether those payments will be cancelled or approved?

Either way, i would like to get this money out of the Pending limbo that it is in with you guys, and have no idea how to do that as I have received no further instructions as to what to do to clear up my account.

I believe I have sent you all the information you have asked for and, in a phone call I made to PayPal support on December 26, 2015, I was led to believe that this issue was cleared up and the holds would be removed from my account. That was over 2 weeks ago, and the 2 payments are still being held as “Pending” with you.

Can you please advise me if you need more information from me, or else release or deny these payments asap?

Thank you for your attention to this matter.

Clint Lalonde

No response.

January 18th – second call to PayPal. Again told that everything looked fine on their end and that the payments and restrictions would be lifted within 72 hours.

January 21 – It has been 72 hours. Payments still pending. Account still restricted. I call back. I am told that my issue is sitting in a back log with compliance because “it is tax season” and that they will get to it in 72 hours.

Excuse me if I sound skeptical.

This is where we are today.

What a gong show.

I’d like to tie this back into something wider – about some social commentary about how a big corporation reliant on data decision making has lost the ability to decipher well-intentioned actions from legitimate threats. I mean, hell, If I was going to launder money for some sort of subversive Syrian terrorist organization, the first thing I would do to hide my tracks is put the word “Syrian” in the description of a financial transaction. I mean, being  a money laundering international terrorist does not mean that I can forgo keeping well detailed and accurate books.

And part of me also wants to ruminate on what this might mean for me in the future. Not only what being flagged in PayPal for suspicious activity, but even writing this blog post and using the word “Syrian” in it as many times as I have has likely got me onto who knows what list.

What if I try to cross the border? Will this silly screw-up somehow get me moved to the special room? I *think* I am being facetious with this line thinking, but in my head I am both laughing at the ridiculousness of this, and feeling the chill of unease as a little part of me wonders, have I triggered something bigger? Have I now been added by some smart/dumb algorithm to a no-fly list based on some stupid PayPal flag? I mean, someone getting accidentally added to “the special list” through no real fault of their own…that doesn’t happen in real life, does it?

Update: January 25, 2016. It is Monday, the day PayPal told me that my account would be fixed. Well, my account is still restricted and PayPal has not released the payments pending in my account.

Amazon Web Services coming to Canada

Sensitive Data sign, Freegeek, Portland, Oregon, USA by Cory Doctorow CC-BY-SA
Sensitive Data sign, Freegeek, Portland, Oregon, USA by Cory Doctorow CC-BY-SA

In a blog post on the AWS site, Amazon Web Services Chief Evangelist  Jeff Barr announced that Amazon Web Services will be bringing their cloud computing service to Canada sometime this year.

This is potentially big news for edtech in Canada where our privacy laws have hindered the use of cloud based services where personal data may be stored outside of the country.

These days, it’s hard to find scalable edtech infastructure and services that are not built on AWS (or other) cloud services, and having data stored outside of Canada using cloud services has traditionally been a barrier to adoption for Canadian institutions. Not a deal breaker as there are ways to mitigate and still be compliant with privacy laws through informed consent, etc. But for many, the P.I.A (Privacy Impact Assessment) is a P.I.A. and enough of a barrier that it hindered the use of cloud based services.

For an edtech example, Canvas has had very little uptake in Canada because it is built on AWS.

Of the 25 public post-secondary institutions in BC, there is only a single institution using Canvas, and they are self hosting to work around the data storage issue. With a regional offering of AWS in Canada, I would expect to see a company like Instructure bring Canvas north of the border soon, and it being a serious contender for institutions undertaking LMS reviews.

While not explicitly stated in the release that it will be compatible with all the different provincial and federal privacy laws, it’s hard to imagine Amazon rolling out services in Canada that are not as compliant as possible. Indeed, privacy compliance with federal and provincial laws would be one of the biggest selling points for the service in Canada, as PCWorld notes;

Having a dedicated Canadian region will be important for organizations that need to comply with the patchwork of regional data protection laws Canada has, which requires the storage of some types of data inside Canada, depending on where the storer is located.

Although the question of “does legislation actually make a difference where data is stored in an interconnected world?” hangs in the air, with many seeing these regulations as doing nothing by providing the illusion of data protection for citizens.

And who knows, the TPP may get ratified in Canada and then it is a different data protection game altogether as the TPP clause on free flowing data between member countries would put it at direct odds with provincial & federal privacy laws. And while edtech might win with the TPP in that we get better access to more cloud services,  I have real concerns at what the cost to the rest of our society might be.

Addendum

Shortly after I posted this, Scott Leslie tweeted in response to this post that even if the servers are located in Canada, there is still a question of where the parent company is located.

On weak ties and faculty OER research

Yesterday BCcampus published a research report on how faculty at BC post-secondary institutions use open educational resources. I’m not going to do any analysis or synthesis of the report here. You can read the report.

Really, this is more a public thank you to the OER Research Hub (and in particular Martin Weller and Beck Pitt), and the BC Open Textbook Faculty Fellows Rajiv Jhangiani, Christina Hendricks and Jessie Key. This was an immensely satisfying project for me to work on for a lot of reasons, not the least of which was the opportune excuse to work with excellent people.

I always knew we wanted to do some kind of research with our open textbook project, but in those early days (not being a researcher) I had a tough time figuring out how to pull it off. I am not a Ph.D. and, despite the fact that BCcampus as a whole is a research project in the eyes of our parent institution SFU, we don’t do the kind of research typical of research projects. Both Mary and I tried to jump through a few administrative hoops to work with the SFU Research Office to make a research project happen, but it felt like we were getting bogged down in the weeds.

In the fall of 2014, I was pretty well convinced that a research project as part of the open textbook project wasn’t going to happen. Which made me feel like I was blowing an opportunity to be able to give something of potential value back to the OpenEd community. I was (and still am) acutely aware of the need for more research on all things open to further the work we all do, and the thought that we were seeing an opportunity slip away was eating at me.

Then, just as I was reaching peak frustration with our lack of progress on the research front and my own feeble attempts to will it into being, something serendipitously awesome happened. Martin Weller at the OER Hub contacted me and asked if we were thinking of doing any research and, if so, did we need help.

I literally wanted to reach thru the interwebs and hug Martin. But at that point we were still kind of weak tie social media friends and I thought I should wait a bit before commencing the hugging. Besides, he’s a Spurs fan and I’ve spent my adult soccer life rooting for the Gunners, so that would have just been awkward (this was before I knew of his love for ice hockey).

But…Twitter folks. Twitter made that connection happen.

<insert reflective pause to acknowledge the power of weak tie networks here>

Anyway, from there, Martin brought Beck Pitt in, and the research was looking more real than it had just a few days earlier.

On our end, around the same time, we had our first meeting with the BC Open Textbook Faculty Fellows. Rajiv especially latched onto the research angle right away and saw the importance of coming out of the open textbook project with data in hand. A few meetings between Rajiv, Beck and myself and we were off and running….and then stalled….and then took off again….and then stalled….and then took off again.

We collected the data in Feb/March of 2015 via a survey to faculty who use OER in BC. Rajiv, Beck, Jessie and Christina analyzed the data in the spring and summer, and we spent the fall writing the report. If you saw our presentation at OpenEd in November (Beck I am truly sorry that Rajiv and I changed your slides without telling you just moments before you hit the stage), then you got the high points.

And here it is.

All hail the power of the weak ties in enabling cool stuff to happen.