Privacy F*ck-up Design

I was preparing to write about anti-patterns for Privacy by Design, but after the IT-scandal in Sweden this week, I needed stronger words.

Computer Sweden found out that recordings for 2.7 calls to public care in Sweden were exposed on Internet by an outsourcing-partner in Thailand. (Their server was located in Sweden). These recordings contained personal information about adults and children, including health-related data, and in some cases their phone numbers.

All information was publicly avalible, without username and password. If you connected to the server with the adress, you got full access.

Video from Computer Sweden

According to the article, the companies involved denied the problem or said they didn’t know the details of the technical solution.

Another source of information, not yet verified, pointed out that there servers had a number of know vulnerabilities due to un-patched systems. A third, un-verified, source said it was still possible to access the data by exploiting the vulnerabilities.

My clear verdict is that they have not thought of Privacy by Design, either from an organisational, an application or an infrastructure perspective.

I have asked the health care provider of which information they have stored about me, and if my calls to healthcare are in the leak.

To be continued....

A case for Privacy by Design


Would you buy a new car today without ABS-brakes, airbags and safety belts?  

Of course no, you wouldn’t buy a new car like this if it were available on the market. An old vintage model perhaps, but not a new car.

An in most developed markets, it wouldn’t be legal to sell cars like that. You need to design a new car today that helps the driver to avoid accidents, and if there is an accident, minimise the damages for driver, passages and others.

When you implementing new IT-systems, do you think about your personal safety for your customer and employees? 

Is the system you developing, the system you are buying or the cloud solution you look at design with privacy in mind? If not, you are probably breaking article 25 in GDPR, Privacy by Design and Privacy by Default. 

You will neither be able to use privacy as a commercial advantage in your products and services if you don’t are proactive when designing them. 

Third, by not designing for privacy, you will insure a technical debt that will be costly to fix afterwards, and the cost for major security incidents could be very high, and even risk the whole company.

Old is the new new

There was a question from Gideon Slifkin about ”What is an Enterprise Architect in 2019” on LinkedIn a few days ago.

One of the alternatives he wrote was, ”Someone who knows (from an architectural perspective) all the key IT technologies in 2019”, and then give examples of them. This became the answer as one of the most favoured skills for an Enterprise architect.

But concepts like API’s and microservices are not new. To rent capacity in a virtual machine on a remote computer and pay for usage is neither a new idea.

In the end of 1980’s, we designed a production system for a manufacturing company. We needed 24/7 availability as the factory run around the clock. We were collecting events when they happened in near real-time and used then to control production in the factory via PLC-systems. All systems were designed to be autonomous and have redundancy.

We build a local network using optical fiber, Ethernet and TCP/IP in order to be vendor neutral. The new application was developed on VAX/VMS, written in C and with embedded SQL for the same reason. For integrating with production equipment, we used ready-made asynchronous API over TCP/IP. Scalability and redundancy was managed by using network cluster technology.

We talked about hypertext and used the concept for internal documentation, but World Wide Web was to be invented first a few years later.

This was before client-server took off and we still run terminal applications, but on PC’s. The remote computer was an IBM mainframe and we paid a lot for CPU and IO.

What we didn’t have was AI & ML and the security in some parts of the solution was not up to todays standards, but otherwise our thoughts was much in line with todays thinking.

This is why I say that old is the new new, both in IT and in fashion.

Six O'Clock News DevOps

Six O´Clock News on TV is a very good example for those who want to run DevOps

Each day at 6 pm, every day in a year, you have to send the news. Regardless of what’s happening.