Monday, September 30, 2013

Porter's Outage: Dealing with an outsourcer's system failure

A couple of weeks ago, I got caught in the Porter Airlines network outage. I was heading back from a meeting from Ottawa and we had managed to get the airport on time, only to find that we could not get our flight because the "system was down". Although I was scrambling to figure out how to get back to Toronto, my colleague had it much worse as she had a connecting flight back to Windsor! For me it was one of those "check out" moments. You know when you are at the grocery store and the guy ahead of you is haggling with the attendant, and you think to yourself: "Should I wait for this situation to resolve itself or move to the next line?" As the Porter folks informed us that they will give us a refund, I decided to book the next Air Canada flight back to Pearson (instead of the Billy Bishop airport - where I had parked at. Although I was supposed to fly out at 9:20 PM, they managed to put me on the 7:30 flight. A number of us at the back were "refugees" from the Porter flight. It is tempting to get exasperated and complain in these situations, but one of my fellow refugees pointed out how this is essentially  "first world problem": we only ended up waiting about an hour and we had all the amenities (food, water, shelter, etc) waiting for us when we got back to Toronto!  
As reported in the Toronto Star, the source of the outage was due to a failure at Navitaire: the "reservation and flight planning system" that Porter outsourced to. It turns out that other airline companies, such as Air Tran, were also affected by the outage.

Surprisingly, this is not the first time that Navitaire has experienced an outage: the company also had an outage in 2010 that affected Virgin Blue airlines. As would be expected, Virgin sued Navitaire. The case was settled out of court. As noted by the Register (who commented on the 2010 outage):

"It is becoming more and more obvious that Navitaire's business continuance and disaster recovery provisions failed completely in this outage. There should have been standby systems ready to take on the load of any failed system or system component, but there weren't any. That is a blunder of the first magnitude by whoever designed, implemented and ran the system."

Well, it seems that the "blunder of the first magnitude" has repeated itself only 3 years later.

As you know from my previous posts, that I have written about the cloud from a CPA perspective, so the logical question is: where is the SysTrust or other third party review of their IT controls to ensure that this type of thing doesn't happen?

Well, I could not find it. The brochure for the services offered by Navitaire, does not make mention of the third party audit report. However, it is possible (although unlikely due to the cost) that Navitaire allows its customers to send in their own auditors.

Regardless, the incident illustrates the need for customers who outsource their operations to third parties to get an assurance report (e.g. Trust Services) that ensures that such controls (e.g. disaster recovery) are in place.

To Porter's credit they gave me a refund and they also gave a free flight to anywhere they fly. So from their end they did their best to make amends due to the fiasco.

Wednesday, September 4, 2013

Verizon Mobile Push into Canada Evaporates: The Data Privacy Angle

Canadians had been anxiously awaiting the entrance of American telecom giant into the Canadian mobile market. For years, Canadians have lived under the domination of a few giant players, which has resulted in Canadians paying one of the highest - if not the highest - cell phone rates in the world.

The government of Canada actually dedicated a website, which actually illustrates the level of concentration in the market. Apparently, to address the issue "Ottawa rolled out the red carpet to attract the U.S. mobile giant in the hopes of establishing a fourth mobile competitor in all provinces - not only in Quebec, where Quebecor’s Vidéotron is giving the Big Three a run for their money. "(see the Globe & Mail article for the full context of the quote). As this Globe & Mail article, suggests the hope was that Verizon would have entered the market and forced the incumbents to offer better prices.

However, Verizon announced that it has cancelled any plans to enter into the Canadian market and thus dashing these hopes.

An interesting point to note, however, is the data security and privacy angle that the incumbents took to bolster their case to the Canadian public. As per the FairForCanada website (which is supported by the Big 3 Telecoms), they claim:
"Who do you want to own your private data? 

Across the country, Canadians use their wireless devices to make calls, send text messages and emails, and browse the internet every day. That information should be safe, secure, and private. 

Will American companies say no to requests from U.S. government agencies, for customers’ personal data? 

Canadian wireless providers have a solid track record of protecting your data in compliance with Canadian laws. But what will happen with regard to the data of Canadians in the hands of foreign-owned wireless carriers? What laws will regulate the protection of your information? This is not a trivial issue. It is one that should be of concern to all Canadians."

It seems that the advocacy group was riding the fear of Canadians that the US will have access to their data.

It seems they have done their research.

As noted in this ZDNet article, "Since being signed into law in 2001, the Patriot Act has been cited as a viable reason for Canadian companies, government departments and universities to avoid the cloud due to the close proximity to the United States". In other words, fear of US surveillance has led to low demand for US-based cloud services. Applying the same logic, the incumbents were playing on this same fear that Canadians would stick to them.

However, this is only part of the truth. The reality is that Canadian companies have had to comply with similar legislation that requires them to divulge data to Canadian law enforcement. As noted by the Office of the Privacy Commissioner of Canada:

" In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities. Despite the objections of the Office of the Privacy Commissioner, the Personal Information Protection and Electronic Documents Act has been amended since the events of September 11th, 2001, so as to permit organizations to collect and use personal information without consent for the purpose of disclosing this information to government institutions, if the information relates to national security, the defence of Canada or the conduct of international affairs."

This is on top of the recent CSEC scandal (where the secretive agency is alleged to have illegally spied on Canadians), but one could argue that such surveillance was actually illegal. Ultimately, I had hoped Verizon would have entered into the market, but only to push down the rates. I would have ended sticking with the Canadian mobile carriers because the data is one way or another in one jurisdiction.

However, all is not lost in terms of lower rates in the cell phone market.

It seems the government is hoping to entice voters by tackling a problem, which does impact the productivity of Canadians (see this post which compares Canadian mobile access to access in India/China). For example, the CRTC has mandated a number of changes to the cell phone contracts that the wireless industry can legally offer, such as restricting the minimum contract length to two years.

But from a data privacy perspective, it seems the only way to get privacy these days is to live a technology-free lifestyle of yesteryear!

Sunday, September 1, 2013

"Images can't be verified": The limits of social media?

In previous posts, I have illustrated how information integrity concepts, and assurance more broadly, have played a role in media reporting. In the post, I noted the following as way way to act as a check on the media:

"Another probably more plausible approach is to leverage crowd sourcing and organize it to enable people comment or blow the whistle on information that is produced in a manner that is inaccurate, incomplete or invalid. The Guardian actually did this for the MPs expenses: they built an app that allowed ordinary users to analyze MPs expenses (if interested check out the Google Docs Spreadsheet with this info). As noted in the article, there was another attempt to build such an app (see here for the alternative). This is both good and bad. It's good in the sense that no one organization has the ability to monopolize such initiatives. However, it is bad in the sense that the efforts of the crowd are effectively divided. Regardless, it does illustrate that the potential for "crowd sourced audits"."

However, the events in Egypt, Syria, and the coverage of  the Occupy Wallstreet Movement, illustrate the limits of social media on its ability to act as a check as a means to counter "official sources".  As noted in the following excerpt in the WSJ, there is a significant discrepancy in the death toll in the recent events in Egypt:

"The Associated Press cited the Ministry of Health as saying 525 people were killed across the country, with 3,717 injured. Interior Minister Mohammed Ibrahim said 43 policemen died in the assault, the Associated Press reported.

The Brotherhood placed the number of fatalities far higher—saying 2,200 people had been killed and more than 10,000 wounded."

To put the number of dead into perspective, the number killed (if the Brotherhood numbers are accurate) is the same scale as the number that died in September 11, 2001, which was 2,977.

What is interesting is that the Egyptian military actually targeted camera men to prevent images of the massacre from leaking out. For example, Mick Deane, a cameraman from Sky News was shot and killed by the Egyptian army. Also, as you can see in the video below, Ahmed Asem  (an Egyptian photojournalist) was killed while filming the Egyptian army kills others:

In Syria, even after horrifying images of chemical attacks were available from YouTube (no link was provided due to the gruesome nature of the attacks; however they can easily be found by putting "Syria Chemical Attacks" in YouTube), the mainstream continues to refer to them as "alleged".

With respect to the Occupy Movement, almost 8,000 people have been arrested. However, the mainstream media does not cover this and so a major crackdown on a significant social movement is effectively invisible to the mainstream society.

So what does this have to do with information integrity?

I have been fascinated with the portability of information integrity concepts to any information system, including the mass media system. For example, if one reads Manufacturing Consent, it is essentially a book that evaluates how the media is able to apply concepts, such as decision-usefulness, completeness, validity, etc to the way information is published or broadcast.

And this is the link to the social media.

One may think that with official media being unable to compete with social media, that the it will be replaced by social media. However, this is only from a business perspective. the real question is whether social media does actually alter the ability of the mass media to set the parameters of debate. In other words, can you or I can get on a blog expose the truth about something and create change society, based on the blog post?

As illustrated by the examples above, when the official media does not actually corroborate the social media, it effectively prevents social media from having an impact on society. I had mentioned in this in one of my earlier posts, the official media is still seen as a source of trust and verification, whereas social media is not. This ultimately prevents social media from ever truly supplanting old media, as people in a society ultimate rely on collective institutions to bind them together in a cohesive. So despite social media giving people the ability to contribute to the landscape ideas, it has not fundamentally altered the essence of power structures in society.

In other words, the "information system" that is within the society still remains where it always has.  And when the citizenry make decisions about societal matters, they ultimate rely on this information system for their opinions and beliefs, simply because the other sources can be doctored and faked, i.e. there are no official "information integrity" controls around social media. Consequently,  countries - be they dictatorial or democratic - can crackdown on their citizens and social media will not "materially" affect society's opinions or belief about the plight about that group or their cause.