Tuesday, April 26, 2016

Us vs the Europeans

The European Union definition of personal information and of privacy is so much more restrictive than ours that it should come as no surprise that the Europeans are not as interested in using massive data suction tools to find terrorists as this government is.

I wish I could say that any of the presidential candidates understood the issues around privacy, in particular digital privacy, but I'm afraid we are going to have to leave that to the Supreme Court.

The FBI director says he was greatly misunderstood, that he's simply interested in being able to read "clear text."  Meanwhile, we learn that there was nothing of interest on the work phone in San Bernardino that caused the FBI to take Apple to court to break the device's encryption and to create software most of us in the business call a "back door."  The FBI however is still hopeful that they might be able to figure out what the terrorists did in time not yet accounted for by checking out their GPS data.  (If they were smart enough to use burner phones, they would have been smart enough to turn off "Location Services," thus turn off GPS.)

I am looking for a leader, perhaps a former government official, to become the clear spokesperson for privacy and in particular for digital privacy.  I don't think that Tim Cook can do this and run his business at the same time.  We need a private sector leader to explain clearly to the American public what is at stake in these skirmishes. 

Thursday, April 14, 2016

A reasonable expectation of privacy.




I'm in my office before class, having started my morning with a New York University-hosted forum on the Zika virus, which actually will be up for discussion in class this afternoon. About an hour after that forum concluded, Microsoft announced that it was suing the U.S. Department of Justice, "challenging as unconstitutional the government’s authority to bar tech companies from telling customers when their data has been examined by federal agents." (Wall Street Journal)  

Now, class prep completed, I'm listening to an address that FBI director James Comey gave at Kenyon College's "Expectation of Privacy" conference.  He is of course arguing that there needs to be a way Hinto encrypted systems, with many examples being tossed out, usually about terrorists or kidnappers or murderers.  He rejects absolutely the "slippery slope" argument. He asks for a substantive thoughtful conversations of security and liberty.  He ignores the issue of the back door becoming accessible to the criminals, nation states or terrorists.

The late Antonin Scalia argued some time ago that "There is nothing new in the realization that the Constitution sometimes insulates the criminality of a few in order to protect the privacy of us all."
Let's hope that the Congress can remember this, divided as it is, as one or more anti-encryption bills go forward.

I admire Director Comey enormously, including his references to FBI agent training he has instituted via a visit to the Holocaust Museum, and the order from Bobby Kennedy to wiretap Dr. Martin Luther King Jr.'s phones.  I think, though, here you will find the other side of the article missing -- the side that makes the "slippery slope" argument, that believes that source code is protected speech, and that resists creating a tool that the government asks for, one that breaks its own product.

He is right, we have never been closer to a condition of complete privacy with the advent of encryption. May I also point out that the question and answer session that follows his talk is well worth listening to.  He is a good teacher.


Thursday, March 31, 2016

Rehearsing Before Class...

So much about risk management needs to be re-emphasized on the first day of class.  To paraphrase the key points about risk in a new risk guidebook that I've been involved with:
  • Risks are not always negative.
  • If you manage risk, you are managing performance.
  • Managing risks is about managing opportunities.
I've got 13 students registered for this advanced course that looks at whether or not risk is handled differently in the public sector than in the private sector.  Add to this first class an additional seven visitors, who will be entering the MSIM program next fall.

I'm incorporating feedback I received from my winter risk course evaluation.  We'll still have eight guest speakers in the first hour, but then I'm going to take the next hour or so to engage more in a discussion than a lecture, including scenarios that will allow the students to practice the art of risk assessment before they actually have to present at the end of each week. This quarter's guest speakers are superb:

  • Lucianne Phillips, FEMA Regional Private Sector Liaison
  • Mike Hamilton, CEO of Critical Informatics, former City of Seattle CISO
  • Michele Turner, Sr. Compliance Mgr, Microsoft Universal Store
  • Al Wilson, Director of Business Continuity, BECU
  • Todd Mack, Deloitte Tech Risk, Risk and Resilience Director
  • Mike Howard, Microsoft Chief Security Officer
  • Mary Gardner, Information Security Officer, FredHutch
  • Aaron Weller, Director of Cybersecurity and Privacy, PwC 

Off I go....

Monday, March 28, 2016

"Education is not the filling of a pail, but the lighting of a fire." -- William Butler Yeats


Cherry Trees Outside Suzzallo Library, across from Gerberding Hall, University of Washington
 I've had a bit of a spring break.  I spent four days in New York City, speaking at a risk conference and in meetings around future publications and conferences.  I managed to complete annual checkups with my doctors, set up a new trainer who starts this week, and have a lovely day with my sister at the Museum of Modern Art and the Manhattan St. Patrick's Day parade.  That's a lot to accomplish in two weeks, especially when I was grading final papers as well.

Classes for spring quarter begin this week.  I'm teaching on Thursday evenings and managing the Master of Science in Information Management (MSIM) internship program.  Additionally, I've got deadlines on another article for The Risk Universe, final comments on a risk guide for state transportation departments, funded by the National Transportation Board, and the outline of a chapter on conduct risk to be written for a new book on that topic in the Risk Books series from England.

So the fire is lit in me, to be passed on  to my students this quarter.  I have never done just one thing at a time.  The possibilities seem endless. 

Wednesday, March 2, 2016

Winding down the winter quarter

A university quarter is ten weeks long of instruction, followed by a finals week.  Not enough time to drill all the way down on so many topics.  In the operational risk course, we've had spectacular presentations on 9/11 and its aftermath, and (last week) on the Paris ISIS attacks last year.  In the ethics, policy and law course, the most interesting component of the course turns out to be the weekly reflections (250-500 words) that students turn, referencing both the readings and the class discussion in the prior week.  Both courses have had outstanding speakers -- a total of 15 speakers for me to coerce into speaking, then coordinate appearances in the classroom.  I'm feeling a bit nostalgic this week since it's the last week I lecture.  Next week, in both classes, students present executive summaries of the long papers they will have written by then.  From experience I know that at least several of them will be publishable.

I see the overlap clearly between how we think about risk and the critical thinking we bring to it from the ethics, policy and law framework where information management is concerned.  Because of what is going on in the world, both classes this week will address the important Apple v. FBI court case that somehow incorporates all the elements we've been talking about.  Code is free speech, says Apple, invoking the First Amendment as well as due process.  Just this once since we screwed up and changed the password, says the FBI.  This puts the case at the heart of questions around government overreach since 9/11 as well as citizens' privacy and Constitutional protections.

Even as we take this up one more time, our guest speakers are illustrative of the other issues we discuss:  in the risk class, our guest speaker is UW seismologist Bill Steele; and our group presentation will be on the Japanese earthquake/tsunami/nuclear reactor event several years ago.  In the ethics class, our guest speaker is UW Law Professor Kathleen O'Neill, to speak on intellectual property.  She's spent years on this topic, and I look forward to her remarks to the mid-career students, with what is bound to be a vigorous and lively discussion.


Wednesday, January 6, 2016

Expanding the discourse

When the mountain agrees to be photographed at the UW.

I can see just how complicated last quarter was by the paucity of my posts.

After several weeks of winter break, I am back in harness, reading to begin teaching two beloved courses for winter quarter.

Tomorrow, I meet 25 graduate students to kick off "Information and Operational Risk," a course I designed in 2011 and have taught since.


On Friday late afternoon, I meet 25 mostly other graduate students to teach "Ethics, Policy & Law in Information Use," a course I've taught since 2012, primarily to mid-career students working on their Master of Science in Information Management.


Just because I've taught it before doesn't mean I know how to do it again.  The students are different, and so are the questions. In fact, the real life issues that inform both courses are under rather continuous scrutiny in the real world.  So while both courses involve the presentations of frameworks and theories, they are made relevant by shining a contemporary lens on the issues, particularly on the grey areas. And though the architecture of the rooms and the size of the classes throw up real roadblocks, we're still going to try to proceed in seminar format.

Speaking to incoming MSIM students at orientation, 2014
 For the risk course, we have eight guest speakers from industry, including Jack Sullivan, VP of Safety & Security at Starbucks; Kirk Bailey, UW Chief Information Security Officer; KPMG Partner Michael Isensee; Jim Loter, Seattle Public Library IT Director; PR genius/crisis management expert Dan McConnell; economist/thought leader Bill Longbrake; and UW seismologist Bill Steele.  We have an eighth speaker yet to be announced.

For the ethics, policy & law course, we have guest speakers also, but most of them come from the university, given the topic areas:  Adam Moore, Associate Professor in the Information School (privacy); Ph.D. candidate Michael Katell, UW Information School (surveillance); Ryan Calo, Assistant Professor in the Law School (Tech Policy Lab); Doug Klunder, ACLU privacy counsel (NSA and Snowden); UW Research Assistant Professor Maria Garrido (TASCHA and social justice); UW Professor of Law Kathleen O'Neill (intellectual property); UW Assistant Professor Megan Finn (net neutrality and internet governance); and an eighth speaker, also yet to be announced.

From such courses come papers which in turn sometimes become research notes published by ASA, to expand the discourse.  Twenty six such research notes have just been published by the ASA Institute for Risk and Innovation as Reflections on Risk, Volume III, with contributions from 16 different authors.  I could not be more pleased by the quality of work that the volume represents.


For that reason and because of the energy I get back from the students,I'll keep you posted on both of these courses.

Wednesday, November 25, 2015

World Enough and Time

As I back into the Thanksgiving holiday weekend, global risk has never been higher. There is really not a clear beginning to Daesh, the organization that calls itself The Islamic State or ISIS.  We do know that a caliphate was declared in 2014 after the group broke away from others with similar intentions in the Mideast.  Since the caliphate was declared, the threat from Daesh has spread from the Mideast into other parts of the world, most recently into Paris about ten days ago.

We can analyze where Daesh's money comes from, and how sophisticated its use of social media is, but in point of fact we are dealing with terrorists, fanatics whose goal is to reform the world, to remake it free of the perversity, corruption and heretics it condemns with words from Islamic teaching.

In February I published a piece in The Risk Universe suggesting that the NSA and Anonymous team up to take down financial supply chain lines that fuel Daesh's operations.  Formally, only Anonymous has responded, taking down over 20,000 Twitter sites that are used to recruit young people or pass on propaganda of one sort or another.  I know that NSA and other American intelligence operations have stepped up their efforts online in the last week, and hope that the Pentagon is not far behind, despite those overly optimistic "We have contained ISIS" messages that were being sent out by higher ups.

So tomorrow is Thanksgiving.  I wish each of you a lovely day, one with time to reflect on just how very fortunate we are to live in a country that has a constitution and amendments to protect basic human freedoms, of late to protect those freedoms against political ignoramuses.  Blake has a poem called "The Grey Monk," in which he talks about the cycle of tyranny, and how very easy it is to become (a fanatic) what you behold (fanatics, terrorists, hate crimes), and "become a tyrant in his stead."

Ignoramuses abound.  Do we think that all Christians are members of the Klu Klux Klan?

 I'll be writing more on this topic for the December newsletter; and also for a January piece in The Risk Universe.   In the meantime, you might wish to review this excellent article from Continuity Central by my colleague Peter Power, in which he  has excerpted simple "Stay Safe" checklists for everyone.