This Week, "Operating System as a Service, part 4"
In this post, learn about the history of Cortana, the sexy, naked digital assistant that evolved from a parrot, the government accessing your files, and Microsoft currently managing the single largest repository of PII in the world.
In the last three posts, we have seen that Microsoft is collecting a copious amount of information. That information, individually, is somewhat anonymous. However, Microsoft shares data among its own services, and as such, has access to more than enough information to justify the concerns of those that don't feel like sharing their lives with Microsoft. While this might be a personal intrusion or inconvenience for most, it is a completely different issue for business and professional practices. With stockholders, owners and business interests to protect, does allowing potentially secret data to be snooped undermine the defensibility of intellectual property claims later? For doctors and lawyers, regulatory issues may mandate that they cannot continue to use Microsoft supported operating systems due to the unrestricted collection of potentially private patient and client information. We discuss the strategic issues associated with whether regulated businesses can knowingly trade convenience and a free upgrade for privacy, especially when the information being traded may not be theirs to trade.
Jim Lehrer: Well, that brings us to the close of tonight's debate. Each candidate will now give a brief closing statement.
Al Gore: Jim, may I make two closing statements?
Jim Lehrer: I'm afraid not. In fact, we are almost out of time, so I will instead ask each candidate to sum up, in a single word, the best argument for his candidacy. Governor Bush?
George W. Bush: "Strategery".
Jim Lehrer: < stunned > Vice-President Gore.
Al Gore: "Lock-box".
Jim Lehrer: This concludes the first debate. Thank you, and "Live, from New York, it's Saturday Night!"
The SafeView Research Report is intended to give you a snapshot of technology risk management issues. SafeView is a reliable source for automated risk, threat and vulnerability data, and advisory services to help you mitigate and remediate issues.
In 1995, Microsoft introduced "Microsoft Bob" in an effort to provide a more engaging computing experience. They used common elements, like a trash can to delete files, a digital home with a door knocker, and the digital assistant. Rover Retriever was introduced with MS Bob. While most of Bob was not well accepted, Rover persisted for over a decade.
From 1995 to current, Microsoft has worked hard to sell users on the idea of personal digital assistants.
Who is Cortana
Cortana is an artificial intelligence assistance for Master Chief Petty Officer of the Navy John-117, both characters from the Halo game series. Cortana was created from the cloned brain of Dr. Catherine Elizabeth Halsey, the developer of the SPARTAN project, a creation of cybernetic super soldiers and a network infrastructure to support their knowledge acquisition and development. Cortana is visually represented as a naked nubile woman with body art and can only be seen through holographic projections.
She was developed as a hacker, an intelligence asset meant to gain access to systems and collect information. Her role evolved over time to serve Master Chief John, but she always seems to have an undisclosed agenda.
While Master Chief John and Cortana develop a close and trusted relationship, her motives are questionable. Inherent in her design, Cortana was expected to outlive peers, but her actions after a normal seven year lifespan became potentially self serving.
By design, she harvests information regarding Master Chief John and things around him. She has the ability to self replicate, and her clones communicate with her, each with the same overall directive. Cortana can navigate through dissimilar networks, spawn copies of herself, and even restore herself if she is destroyed.
"You have no idea how this ring works, do you? Why the Forerunners built it? Halo doesn't kill Flood, it kills their food. Humans. Covenant. Whatever; we're all equally edible. The only way to stop the Flood is to starve them to death. And that's exactly what Halo is designed to do: wipe the galaxy clean of all sentient life." - Cortana reveals the true purpose of Halo to Master Chief John.
During development, Microsoft's digital assistant was named after Cortana, the naked female digital assistant and professional intelligence asset with questionable motives. Windows 10's Cortana has the voice of Jen Taylor, the same person who provides the voice for Cortana in Halo. Cortana is now the representation of Microsoft's new generation of digital assistants, starting with Peedy and Rover, and now represented as an alluring submissive female, waiting to serve her master, while possibly serving a larger objective.
Cortana, Halo, http://microsoft.com
Microsoft's Windows 10 digital assistant is offered to computer users as a way to streamline their computing experiences. This incarnation of Cortana is named after a naked female spy that was designed to operate as a seductive assistant, had a hidden agenda, nearly destroyed the user to whom she was assigned, while she helped win the war by having Master Chief John wipe out all life on a planet. Cortana was always tied to Dr. Halsey in her hidden mission objectives. Is Cortana playing two sides in Windows 10?
The single largest healthcare data repository hacked, multiple times
The Department of Health and Human Services has been hacked multiple times since Obamacare has been live. These hacks have exposed over 30,000,000 very personal health records.
2/15 - 30MM records
7/14 - No PHI
Trusting large organizations with personal data will result in infrequent apologies when personal information is mismanaged. Individuals have to anticipate the worst when looking at the probability of a data breach. HHS.GOV is potentially the largest repository of PHI with nearly 20,000,000 registered users as of 1/2016.
The Stored Communications Act, and why your data is more vulnerable that you know
Not unusual is the fact that Microsoft is asserting global jurisdiction over any data in some way related to clients of Microsoft. The US government has a long history of over reaching. Technically, they are asserting jurisdiction in another country, and the US has not pursued the legal process in that country to gain access to the target data. While Microsoft might have prevailed in a foreign request, these is clearly a long term advantage for the US government. There is little downside for the government to bring this claim, but the upside is being able to assert uncontested claim over all Microsoft data stored anywhere in the world, merely because Microsoft is headquartered in the US.
There are some arguments that if the US were allowed to prevail, this would open US subsidiaries to information requests from countries around the world. The bigger thing is that this would legally erode borders, and establish a framework for extending jurisdiction across borders.
Individuals cannot reasonably defend themselves against a country. What about when China needs copies of your health records? What if your country of family ancestry wants your records? If we are in control of our own data, or business data, we have defenses.
"The Constitution, through the Fourth Amendment, protects people from unreasonable searches and seizures by the government. The Fourth Amendment, however, is not a guarantee against all searches and seizures, but only those that are deemed unreasonable under the law."
Regulations exist in key industries, like legal, financial, and medical, and other organizations are regulated on behalf of stockholders. Ideas are the key asset of corporations. They are more important than the buildings, chairs and computers. Doctors are obligated to protect patient health information, and all providers engaged by the doctor must commit to protect the information at the same level as the doctor. The business associates are held equally responsible in the event of a privacy breach. Lawyers manage secret and privileged information on behalf of clients.
What we have learned is that current supported Windows operating systems include software to harvest secret data from users. Microsoft has embedded technology to track users, preferences, activities, and it obfuscates the way that it describes the depth and breadth of this data collection activities. While this might actually be acceptable activity for consumer desktop software, it introduces a number of serious risks for businesses and professional organizations.
Inadvertent Intellectual Property disclosure
Policies have to define the way that information is managed within organizations.For an organization, intellectual property may be its most valuable asset. Inadvertent, unintentional disclosure, even through negligence, could undermine patent claims initially, or later, in the event of litigation. Secret data, the inception of an idea, and the key notes may all be in Microsoft's possession, based on the disclosures of what they are collecting. What if Microsoft applies for a patent on a remarkably similar technology to that of a Microsoft client. Would they disclose the client as a co-inventor? Would they have to?
If Microsoft is doing business with a client from who they actively collect broad swaths of data, and such data gives Microsoft insight into the business relationship that gives them an advantage, does the client have any recourse? Maybe not. The EULAs were available for review. It is not a viable excuse that Microsoft stole your clients because you did not have four hours and a law degree to read the EULA, but you accepted nonetheless.
Doctors are now held accountable to the Health Insurance Portability and Accountability Act of 1996. From the HIPAA Privacy Rule:
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
What is a Business Associate?
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.( ... ). The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
What does a Business Associate Agreement protect?
The agreement ( ... ) specifies how the heath information will be used by the business associate. The associate must have various safeguards in place to protect the information properly and is required to report any unauthorized use of the information immediately. The patient or related entity signed the agreement has the ability to revoke the disclosure in the case of certain events, some of which can trigger an automatic termination of the agreement itself.
Microsoft offers Business Associate Agreements to Covered Entities (medical practices) for their cloud services, but has not made anything like this available for desktop platforms WIndows 7, 8. and 10.
Until Windows releases instructions for HIPAA and HITECH compliance, do not upgrade to Windows 10 if you deal with PHI. (http://blog.capterra.com/hipaa-compliance-and-windows-10-5-things-you-need-to-know/)
Classify all information - Create information classification policy
Identify all types of information collected, stored, generated and shared
Within the classification, define what level of information disclosure is allowed for each type of information
Classify all machines - Create an asset classification policy
Each machine has to be classified for the type of work that it can do, and the type of classified data that it can handle
Part of the asset classification will define what the asset can do, network access, security issues, and operating systems and other restrictions
Implement protections - Create an operating system approved build policy
Develop the approved platform for each asset classification
Scan all devices on the network for compliance to the policy
Report - Create an audit and reporting policy to report on compliance to existing policies
Develop reports that show overall assets, compliant software on assets, and approved classified data on asset
Segment the network - Create a network architecture policy
Physically isolates data by classification, and isolates assets by classification
Segment applications - Create application hosting policy
Deploy applications within network complaint to the hosting policy
Utilize identity and access management for all users - Create Identity and Access Control policy
Define who can get in, what they can see, and then audit compliance
We can no longer say that we "think" Windows 10 is safe for business. Based on the information being collected, and considering the fact that much of that information may belong to third parties (corporation, clients, patients, etc), we must implement diligent and responsible information management policies, implement them, audit for compliance, report on compliance, and hold people accountable. The responsibility to comply to information secrecy, disclosure and privacy requirements are not the responsibility of Microsoft.
While technology vendors like Microsoft will fight to protect their reputations, your electronic data may be vulnerable to sweeping and warrantless claims in the future. What starts as assess to prevent crime becomes a way to audit census data, compliance to healthcare and collecting statistics without disclosure. Don't see this as conspiracy theories or a bunch of scary Big Brother noise. Rather, effective risk management involves looking at threats, calculating the probability of an event, and then factoring in the cost of an exploit to an organization against the cost of mitigating the risk.
Put together a disaster recovery and business continuity plan. Within it, work through a scenario that all of your private, internal, business data, client and patient data, is accessed, and you are named as complicit due to negligence.
What would this cost the business?
How many clients would you lose?
Do you have sufficient insurance coverage?
What would it take in money, effort and time to recover?
What would be the permanent damage to the organization and the individuals within it?
I am sure that none of this will significantly affect any of us, or if it does, I doubt that we will ever know. However, the cost of mitigating the risk is so much less than the cost of a single exploit event involving exposure of the kind of data that we are discussing.
If you use something other than strategery to manage business risk, it is only reasonable to seriously consider this issue, develop strategies, policies, internally audit, and then put a plan into action.