What's the most dangerous place in your office?
Most people figure it's the water cooler, that fountain of vicious gossip. Others think it's your desktop computer because, hey, you might send a snotty e-mail to the wrong person by mistake.
But, according to Alberta Information and Privacy Commissioner Frank Work, you should be taking a long, hard look at your photocopiers, digital fax machines and other wonderful mailroom tech toys.
"This started when the lease expired on our own office photocopier," says Tim Chander, research and issues manager in the commissioner's office. Realizing that it contained a hard drive, he asked the manufacturer how to clear the data before returning the machine. "It turns out there was no way to do that in the field," says Chander, "though they can do it back in their shop."
He explains that sophisticated new photocopiers are really full-fledged computers. When their hard disk (or memory chip) fills up, new information starts to overwrite the oldest data. However, the most recent batch of copied documents is still there.
According to Chander, "it's not easy to retrieve this data, but those with the right software can do it.
"We want people to think about this if they're copying medical records, or cabinet papers, or confidential oil and gas industry files," he says.
Chander contacted the office of Alberta's chief information officer and learned that a policy has recently been formulated to address this risk for Alberta government computers. Essentially, the government will pay extra to have electronic storage sanitized and demand proof that it was done.
The Canadian Department of National Defence goes even further, actually buying the hard disk or other media and then incinerating it, or as Chander jokes, "using it for target practice.”
He says Alberta's privacy commissioner is the first in Canada to issue a warning about this potential problem, but it's really a global issue.
Smart photocopiers, fax machines and multi-function machines are often connected to the Internet. "They do this so the service technician doesn't even need to come out to diagnose a problem," says Chander. "But, of course, this opens the machine up to risks, especially if the company's firewalls aren't strong enough."
Chander notes that sensitive information can be exposed in other ways, too. The commission's investigation files contain numerous examples. Hard-copy patient records from a physiotherapy clinic were recently found blowing in a field in Edmonton. Confidential medical files were spotted on a used computer at an Alberta thrift shop. They got there when a freelance medical records typist brought it in for sale without erasing the hard drive.
And, in a case that made the Canadian Medical Association Journal, a physician and former CMA president inadvertently faxed patient bloodtest data to the Vancouver Sun newspaper. The explanation? He put the paper's number on his fax machine's speed dial because he frequently sent letters to the editor, and he just hit the wrong button.
Every technological advance brings with it new vulnerabilities.
Hollywood celebrity Paris Hilton learned this to her dismay when her T-Mobile Sidekick phone was accessed by hackers. Its contents, from celebrity cellphone numbers to (presumably) steamy text messages and photos, were soon on the Internet for all to see.
The person who did this probably never got anywhere near Paris Hilton. The phone she carried automatically sends copies of its data to a central server. That's great if you lose or damage your phone since your pictures and phone numbers are backed up. However, it opens up another point of vulnerability.
In October 2004, 21-year-old Nicholas Lee Jacobsen was arrested for breaking into T-Mobile's computers and stealing photos and digital phonebooks. He pleaded guilty and now faces up to five years in prison.
So think about Paris Hilton when you get that new cellphone, or BlackBerry, or PalmPilot. Where is your data being stored? What protection do you have if you physically lose the thing? Most of all, don't put things on a portable device that you really don't want others to see.
And, while you're fretting around the photocopier, give a thought to copyright legislation and how it's probably going to change. There's mounting pressure for Canada to amend its copyright law to make it more like the U.S. Digital Millennium Copyright Act (DMCA) of 1998.
That controversial legislation not only banned things such as pirating CDs and DVDs; it also imposed restrictions on tools that can circumvent copy protection. So "one click" DVD copying programs like DVD XCOPY are now illegal in the U.S. That much-loved program has even made the Electronic Frontier Foundation's "list of extinct technologies."
But, guess what? It's available for sale (as DVD Copy Plus 4.2) at Future Shop in Canada for $39.99. What gives?
Having this kind of "electronic burglary tool," as some call it, is currently not illegal in this country. But you can be sure the commercial producers of DVD movies want it to be. As blank DVDs slip below the $1 mark, there's a whole lot of burning going on.
Not so fast, say representatives of Canada's computer security industry. They argue that banning tools that can circumvent technological protection measures (TPMs) will hurt Canada's fledgling cryptography and security industries.
A dozen Canadian high-tech CEOs have sent an agitated letter to Canada's heritage and industry ministers. It's signed by such luminaries as Bob Young, the Canadian who co-founded Linux pioneer Red Hat, Inc. and now is an owner of the Hamilton Tiger-Cats. Brian O'Higgins is there, too. He's with Third Brigade Ltd. now, but is better known as the co-founder of Nortel spinoff Entrust.
The letter criticizes the U.S. DMCA, noting that Princeton professor Ed Felton was threatened with litigation if he even talked about ways to defeat copy protection at an academic conference.
The letter writers conclude that granting "legal protection for TPMs is the equivalent of making screwdrivers illegal because they can be used to break and enter. Good legislation targets the illegal act, not the legal tools the crook might use."
This will definitely be a heated debate, with far- reaching consequences.
Xerox, the company whose copier sparked the interest in the privacy commissioner's office, pioneered the "big green button" philosophy of photocopying. It made that job simple enough for anyone to handle.
Now, it seems, using copiers, faxes, and other high-tech office tools is going to get a lot more complicated.
Web watch: www.oipc.ab.ca
www.cmaj.ca/cgi/reprint/156/6/847 (Tom Keenan is a professor at the University of Calgary and an expert on technology and its social implications. He can be reached at keenan@businessedge.ca)
