Thursday, January 31, 2008

4 Ds of Information loss – Death

Death comes to us all. And from a legal perspective, death doesn't stop data. Data is property. Digital photographs are the same as physical photographs from an ownership perspective.

However, the law and reality split.

Getting your hands on your data

Lets assume that Aunt Bessie has died. What now... well as her only heir you get everything.
All her encrypted files. All her data accounts. All her data is yours, but you can't get to it.

Unless Bessie provided something for you...

As Ellybabes pointed out in her Death and Divorce in the Digital World presentation, unless you leave someone the password, they are going to stay locked out.

There is a method... as was pointed out in the ‘Security Now!’ podcast (episode 72):

Today, while alive, I don’t want to give my sensitive stuff or passwords to anyone, including my wife. But when I eventually die or become very ill, I need to make sure that my family has access.
But I know my wife wouldn’t be able to figure it out to save her life. If I have TrueCrypted all of my data, have complex unguessable password schemes and so forth, how do I unwind all of that for the benefit of other people I care about in my life?


So what you could do would be give to your attorney who has your will, or in a safety deposit box, something where access will be granted in the event of something bad happening to you without your taking any action.
Here’s what I’m thinking is that you separate the information out. So one of the things TrueCrypt lets you do is have an image file and a password. You need both; right? Maybe give the attorney the password, maybe even put it in your will, and store the image file in a safety deposit box. Separate the two, to be opened on your death or whatever.


But if you change your password regularly... then the copy with the attorney is probably out of date.
You could always try to break in to the machine, or maybe you don't need to, after all, if the hard drive is not encrypted, you just need to put it in another machine. Right?

What if the machine isn't local. What if the data is on a remote server. Do you need to go get a wig and break in somewhere.

Well, if you want to keep the data, the answer might be yet.

No right of survivorship

Under the terms of service of Yahoo, which includes the photograph sharing service Flickr,
(section 27 Paragraph 4)No Right of Survivorship and Non-Transferability. You agree that your Yahoo! account is non-transferable and any rights to your Yahoo! ID or contents within your account terminate upon your death. Upon receipt of a copy of a death certificate, your account may be terminated and all contents therein permanently deleted.


Or if you prove that she's dead, you loose access to all her stuff permanently.

For the record, a Flickr.com spokesperson detailed how their system works...
Flickr works with the Yahoo! Legal Compliance team to resolve these types of situations. You'll need to send them a copy of the death certificate in order to have the Flickr
account closed. Please include their Yahoo! ID as well as their Flickr screen name for removal of the Flickr account. Compliance can be reached [via telephone and fax].

After a death certificate is received we are not able to
give access to the account but we can close it.


Memorial State

Sites like Facebook are a little more accommodating. According to a Facebook spokesperson
When it comes to our attention that a user has passed away, put the profile in a Memorial State. In the Memorial State, certain profile sections and features are hidden from view to protect the privacy of the departed. We encourage users to utilize groups and group discussions to mourn and remember the deceased.

I don't know what "Memorial State" means, but it does mean that the data is retained.

Not everywhere has such a formal response... I contacted the Irish based life data organizerPutPlace.com and the photo and social network Pix.ie.

When I posed the question to Marcus MacInnes of Pix.ie he replied...
We do not have a specific policy dealing with the death of one of our users. Our policy on account access however is as follows:
We provide access to a user’s account only under one of the following conditions:
1.via our automated password recovery method;
2. if instructed to do so by a user’s legal personal representative (which may be the user themselves);
3. if we are required to do so by law.

In the event that the owner of an account dies, upon request, we would be obliged to surrender that account to the user’s legal personal representative (usually the executor of their will). The legal representative would then act in accordance with the wishes of the deceased and may for instance request deletion of the account.

And Joe Drumgoole of PutPlace.com explained that
we haven't put the legal framework in place yet. Our intention is that all content gets assigned to the probate or estate and the executor gets to do his stuff. In situations where no estate exists or legal structures don't support it we will allow appropriate next of kin (spouse, children, siblings, parents etc.) with supporting documentation to take over the account. We will support an alternate contact to allow somebody else to recover the account but we depend on the user to keep this up to date.

Its definitely a tricky area and something we will be coming across more and more in the future.


Messages from beyond

Another complicating factor is that with more and more of s spending our lives on line. Frequently out virtual network of friends and "friends" are the only ones that the next of kin cannot contact, because all this data exists on remote servers. Do you have a local or hard copy of all your friends contact e-mail addresses or IM names? (Actually do you have a list of all your accounts?)

If you got access to Aunt Bessie's social network account, should "she" be the one sending the funeral notice. Is parking the account in a "Memorial State" the answer? Marcus MacInnes of Pix.ie explained
[the] moral issue which until your question, we had not fully considered. How would friends react to receiving an on-line message from someone whom they knew had recently died. We cannot assume that the custodian of the account would act in any given manner and it is not clear whether or not we have a moral responsibility to provide reasonable protection to our users from receiving messages via our platform which are likely to cause distress. An example of this may be when a custodian acts irresponsibly, either intentionally or unintentionally.


Because of my questions, their policies are being reviewed.

I would have loved to include details of the policies of other vendors, but only the above companies contacted my in time. If I get any more details I'll include them in the comments.

Take care,
William Knott

With kind thanks to John Looney of Google (for the tech and social angles) and Simon McGarr of Tuppenceworth.ie (for the legal questions and answers) and for all the people quoted above for providing their perspectives.

tags : , , , legal, , , , , , , , , , , , , , , ,

Labels: , , , , , , , , , , , , , , ,

Thursday, January 24, 2008

4 Ds of Information loss – Data loss

I have the nasty feeling that I have more questions than answers but here goes...

The old days

Before technology, life in the office was simple. You have documents, and you filed them away. They were big, bulky and paper based (once stone, velum and papyrus had their days). Sometimes documents got lost (down the back of the filing cabinet), sometimes documents were destroyed (blessed be the shredder despite projects to restore shredded documents using software). Rarely did physical documents end up in the hands of the wrong person (but it happened). The came easy duplication. And then came electronic records.

Electronic records, or data to give it an even more generic name, are everywhere. Data can be automatically collected and stored. When I first raised “data loss" I simply assumed I would stay on simple technical grounds such “hard disk crash" or indeed loosing the financial data of 25 million people in the post. Some of the issues are technical, some and legal, but all are social.

Never enough

Disk drives get larger to cope with the torrent of data. Much in the same way that “you can never be too rich" it's true that “you can never have too much disk space". However... As data volume grows, our ability to weed out the what from the chaff declines. It's easy to say 'never throw out anything, in case it's needed'. It also lets you avoid the boring (and possibly compromising) task of deleting data you don't need. However, then your operational budget bloats - it costs as much to look after useless data as expensive data. If it goes on long enough, you can't do anything about it; it's possible you won't never remember what most of it is.

This is where one part of the legal framework stands. If you are, say, automatically collecting all the web sites that a certain IP address connects to, how long should you hang on to it? How long is it legally useful for? And worth keeping for? ( Digital Right Ireland have a few things to say on this.) There is also a technical problem... If an Internet access node is unsecured, is the owner of the node liable for something posted using it? At the moment, yes, but that is because it hasn't been tested in an Irish Court

Sealed with a click

Another part of this is content. Google have an archive of a precursor to the web, called Usenet on archive. This is data. Public data? Well everything was considered public a the time. So this archive is publicly available.

But what about you diary? Not your blog, but your diary. Currently you have automatic copyright protection on everything you write. The contents of your diary become public domain 75 years after your death. Does the same apply to your e-mail? Private musings are supposed to become public domain after a time. If you turn out to be a famous person (at the time of your death) someone will hang on to every scrap of paper in the hopes that it will be worth something.
However every e-mail you write is technically protected under copyright, and replying or worse, forwarding an e-mail is technically in breach of a dozen copyright laws. When should your e-mail become public domain? If that data is on your hard drive, there is some hope that it will be forgotten about, but as a Microsoft anti-trust cases showed, e-mail has a habit of copying itself in other places than your drive. After all, there are the recipients, and all the server between (and a few that shouldn't have gotten it in the first place).
When should this mail become public domain? 75 years after your and every contributor's death? Something like that is impractical. 100 years after the message is sent? 50 years? And what if the message contains still confidential information (like the secret recipe for Snickerdoodles & Chocodoodles)?

Silly idea? Old medical records do go “public", but these are usually stored in archives of interest to few (usually medical students and researchers who would be qualified to have access to the information in the first place).
“Would it be morally right to give public access to email & messaging accounts 100 years after they were last accessed ? How interested would the historians of the future be in a copy of bebo.com from 2005 ? Or the contents of the mailbox of a famous serial killer 50 years after they died ? I don't think we have the option of letting that sort of data lapse. It will be the clearest echo of society's global digital consciousness."

This is the first time that the general public have had their personal messages (not just) information stored. Should I be retailed for your grandchildren (but hidden from your prospective employer)? When should an e-mail be considered an orphaned work?

Backing away

Along with the problem of how long data should be retained, lets look at the actual retention problem. If you 'never throw out anything, in case it's needed', you have an increased storage problem. I hear the call of “backups"?

“As data volumes grow, you either have to put all your eggs in one basket, or have multiple baskets. From experience, it's so tempting to try consolidate your data in one place, to reduce admin overhead. Hopefully that one system won't have a buggy motherboard that's silently corrupting everything it writes. And it's really painful if someone accidentally deletes a few petabytes of data - copying from backups takes ages, for a start."
Or “bugs in archival software ("Yup, that's archived. Oh, wait. No..it isn't. The machine had a bad disk, software crashed, and reported 'everything OK' when it restarted...") and freaky network instability (guys doing rewiring, restarting cluster routers and maybe some dodgy cables) resulting in more than one machine reporting as being the 'one true repository' for a certain type of data."

So the backups might be a problem....

But let's assume that the backups are valid. Then you have 2 format problems.
We don't have the hardware which can read the tapes anymore.
This actually happened to me professionally. I remembered when the archives were made, and indeed the data was found. Documented in place A where where the off-site storage utility had the backups. However, the tape drives had been scrapped years before.
And those of you that remember the Domesday project know tha the BBC fell in to a similar problem.

But let's assume that the anarchic backup archive tape could get it's contents loaded on to a system you can use... can you read the data format?

Earlier this year, Microsoft released a service pack which purposefully disabled older file formats. So your carefully restored data might be unreadable to the world, and worse, yourself. In a business case, the original specifications (or recipe) might be needed. Or your great grandfather's proposal on an on-line forum to the woman you've come to know as your great grand aunt.

Is there a “fix" for this? Well making the older formats fall in to the public domain would help. After all, if you're not using them...

So who deserves the credit, and who deserves the blame

So the disk has crashed, who do you sue? It should be simple, but it ain't. Much like a delayed or canceled air flight is not the cause of refunds if the cause of the problem is beyond the control of the airline, there are ways a disk can go. Legally.

Usually a hard disk will crash in infancy (within a day or two of starting life), meaning little if anything has been lost and it's under warranty of the manufacturer. Or the disk will die was it approaches the end of it's predicted life (well after warranty). The fact that the computer is usually obsolete long before you take it out of the box isn't something to be considered.

And while I'm sure that back-up software and hardware has warranties, the legal click through probably covers some lost data. But since the cost a new hard disk is usually less than the lost of the backup measures... home backing up is rare.

In a corporate setting, the party that looses the data should be held liable, but I don't know of any cases in Irish law on data crashes. Data gong missing however...

it's a steal, it's a loss

Credit card data gets stolen. It's an identifiable crime. Who (other than the criminals) is liable?
Well was a reasonable attempt made to protect the data? If so, was it reasonable enough? Can you sue for loss of data? (and given the ability to reconstruct shredded credit card bills (cited at the start) are you the cause of the data breach?)

Apparently no. If data is lost (in the post) or stolen, there is no case until the data is used and a victim can be shown to have damages (or have lost money) from the act. If personal data goes missing, is there a lawsuit? Liable or slander is not applicable since the data suggests if not proves that the information about the victim is true. There are privacy charges, but currently there is no privacy law in Ireland. Direct financial damages are possible, but the cost of the case is usually more than the loss? And there is the time it takes...

In the case of the recent UK financial data loss a lot of the data is personal data pertaining to minors. In fact everything needed for identity theft for then the minor becomes an adult. So someone sitting on the data would wait 10 to 18 years to strike. Is there a statute of limitations (or similar) for data theft? Or in this case, identity stolen almost a generation ago?

Well, I have asked more questions than I've answered...

Anyone able to answer some of these too?

Take care,
William Knott

With kind thanks to John Looney of Google (for the tech and social angles) and Simon McGarr of Tuppenceworth.ie (for the legal questions and answers)

tags : , , , , , , , , , , , , , ,

Labels: , , , , , , , , , , , , , ,

Sunday, January 20, 2008

Passion lives here

"The best four minutes of my entire life were those in the Olympic stadium. My husband is offended when I say this" -- Isabel Allende

Isabel Allende spoke at the TED conference in March 2007. She spoke about passion. About helping. About women. About strength. And about feminism.

She speaks with strength. With humour. With power. And with passion.

Watch the lecture, and see what you can change in the world.



take care,
William Knott

p.s. she also passes on beauty tips from Sophia Loren

tags : , , ,

Labels: , ,

Thursday, January 17, 2008

The 4 ds of information loss - Statement of intent

When someone talks about losing their data, the assumption is a hard disk crash. But not always. Sometimes it's something more.

Sometimes its business. Sometimes it's personal. So it's not always technical.

The thought sprung to mind when I was driving to Waterford with Security Now playing through the radio. This was also after the Facebook/Scoble/Plaxo incident around Christmas, so ownership of data was in my mind. Barcamp Waterford was where Ellybabes presented Death and Divorce in the Digital World almost a year ago. (The slides from the presentation are in the link)

At the session few, if any of the questions were answered, so I'm going to take a stab at it over the new weeks. The schedule I'm planning is...

24-Jan-08 D 1. Data losses (from a head crash to lost in the mail)
31-Jan-08 D 2. Death (You're gone, but your data will live on)
07-Feb-08 D 3. Demotion (You're fired, and I own your info)
14-Feb-08 D 4. Divorce (I didn't choose the date to be sarcastic)

I don't have all the answers, or even all the questions. So if there is anything you want me to cover (or corrections after the fact) please let me know either through e-mail or comment

take care,
William Knott

tags : , , , , , ,

Labels: , , , , , ,

Wednesday, January 09, 2008

Pick me

That Mulley man is seeking nominations for this year’s Irish Blog Awards. Nominations close at 9pm (Irish time) on Friday January the 18th. In fact Damien wants us all to do more. I don't know if it counts, but for the first round he wants judges. Lots and lots of judges.

It is a way to start...

take care,
William Knott

tags :

Labels:

Defrosting January

Reviewing adverts is one thing, however I never thought I'd be reviewing a trailer for a play.
But it does beg the question, given the potential power of internet video, how come so few theatre groups (especially those seeking funding) don't use such an opportunity.

Anyway, on to "They Never Froze Walt Disney" by Jody O’Neill. The trailer is embedded below, and I'll type about it after that.



Theatre Makers specialise in what I'll call "uncomfortable absurdist comedy". The trailer gives an excellent example. What sounds like an insult and accusation, extended just long enough to fall in to humour. The principle of "don't think of an elephant" or "don't laugh at the funeral" which simply triggers the opposite reaction is what they do very well.

The advert itself is a simple "information" advert. This is when the play is on and where it's showing. The mood is simultaneously bleak and absurd. Which is probably a review of the play too.

Well, would you go?
They Never Froze Walt Disney
The Granary Theatre, Cork
8th-12th January at 8pm (preview January 7th)
Bookings & Info: 021 490 4275

take care,
Will

tags : , , , , , ,

Labels: , , , , , ,

Wednesday, January 02, 2008

tweetless

I've read a love letter for twitter but Twitter has been a cruel mistress for me.

At first, I thought I'd try it out, and we quickly fell in love. However its interface was a problem for me. I'm not alone in this, which might be why there are so many alternative interfaces for it online. I discovered that the SMS interface was perfect for me. I like to spend time off line, but in contact. True, for a while my phone felt like a tamagochi, but I made friends. Actually met people in Tweet ups and experienced its back channel possibilities. I tried out Jaiku and loved it too. True that “tweeting” via SMS cost a bit, due to the price of an international text, but it was worth it.

On the SMS front, all broadcast posts are also sent to your phone as a text (if you express the choice). On Jaiku all the people you add as contacts have their first or initial post arrive on your phone. Only replies to your posts are SMSed to you. It's actually hard to reply to a post via SMS on Jaiku, you have to start the text with the name of the intended recipient, this means that it might appear as a separate post, but the right person will look at it. You can receive an unlimited number of texts from Jaiku, but given the reply structure, the numbers are low.

On Twitter you can choose who arrives to your phone via SMS. However you receive every post they make to Twitter, since threaded replies are not possible on their system. They also limit the number of posts you can receive to 250 a week. The first day they started this was during the IT@Cork conference (in Cork naturally). The limit was hit by every attendant before the end of the day.

The limit means that I miss out on most of the friends I've made there. I have an old phone. I can't install the mobile client for Twitter on it. Simply put, I can't afford a new phone. I also like not having to remain online to see the conversation. Maybe it's me. Maybe I shouldn't have such high expectation for mobile communications but I LIKE to be spoilt.

The limit means that I've lost a lot from Twitter. If there is an offline client, let me know! (google reader gets filled really quickly with tweets)

Should I dedicate an RSS reader just to my friends?

Any ideas?

Take care
Will Knott

tags :
, , ,

Labels: , ,