A gift to yourself this year? How about a better privacy profile?

A headline today in the Motley Fool's great online financial site entitled The Best Gift to Give Yourself This Year, made me think about what might really be a great gift to give yourself, and at little to no cost. How about the notion of enhanced privacy? Or really what we are talking about is more anonymity, especially online.

In the last year I have seen and have personally used a number of great technological tools and best practices to help minimize my exposure and vulnerability to excess data proliferation.

Now, I am no technological Luddite or privacy alarmist, and I believe in and understand how the Internet works and how the low-cost model has benefited the modern world thanks to advertising. Yet, I am sure you have all seen quite often in the press the exaggerated reviews about services and applications that if used on your smartphone, would threaten the very existence of Western Civilization!?!!. I benefit fro many of these applications myself, but we are very very quickly coming to the point where the value proposition is tilting too favorably in the other direction against regular consumers. 

First up a couple of behavioral changes that you should consider adopting in 2013. For example, don't get in the habit of logging in to new applications or websites with your Facebook or Twitter or any other 3rd party credentials. I realize it is expeditious and convenient, but it allows not only the 3rd party site (Facebook, Google, Twitter, etc.) to continue to build a profile of you, but it lengthens the bread crumb trail of your actions and activities on the web. If you every want to disappear forever, you'll have a rough time of it since you left so many clues as to your possible whereabouts and past behaviour.

Second, start to take notice of new windows that pop-up in and around websites offering you the ability to control the cookie and ad choices that are shown to you.  You can begin to be much more proactive about what cookies some websites are allowed to leave on your machine when you visit that site. Most European websites (and some of the more forward-looking U.S. sites) now offer up an express consent option when you visit the site for the first time, to control how the site will track you now and in the future. A great product from a company called Evidon which services up the "AdChoices' icon on some websites will allow you to proactively opt-out of being tracked by hundreds of tracking companies with one click on a page on their website. Thru Evidon's Open Data Partnership (ODP), users can easily manage the profiles that different companies have created about them and their interests.

As for technology, and for the more paranoid among us, I have been using a browser called Tor lately that really hides or disguises your activities online. The service works by 'bouncing' your communications around a distributed network of relays around the world you connect to which is run by volunteers (i.e. you, if you use the browser). Tor prevents someone from watching your Internet connection and building a profile on you via the sites you visit. An added benefit is that the browser prevents the sites you visit from learning your actual physical location, and it lets you access sites which are blocked - which your IT guys at work will no doubt love. (as I was writing this blog,  I fired up the Tor browser and the IP address that my machine was displaying to the outside world made it appear as though I was in the Czech Republic. Good stuff!) 

This is just a short list of technologies and behavioral changes that you can easily adopt to  improve your privacy posture in the new year. Almost all of these services and activities are free. In most cases, the cost is nothing more than a few extra minutes of your time to set a profile or check a box on a website. Generally, there is nothing to pay for. All you need to do is start to pay attention.

Happy Holidays and Happy New Year!

"Secure data access in a mobile universe" - Interview with the Economist Intelligence Unit

I was recently interviewed by a journalist,  Lynn Greiner, who was working on a paper for the EIU and we talked about data security, mobility and the ever-common phenomenon of BYOD (bring Your Own Device to work).  

The full white paper is here (http://tinyurl.com/a76vfow) but here are some excerpts:

Preventing the data from being stored on a mobile device at all is another strategy. Al Raymond, vice president of privacy and records management at Aramark, a US foodservice supplier, says authorised users who need to access company information remotely do so over a secure virtual private network (VPN) from their laptops or mobile devices. No data other than email are stored on the device itself, making it relatively easy to protect corporate data assets should the employee leave, or lose the device.

Some companies that have BYOD policies expect executives and employees to make sure they have necessary software on their devices, at their own expense. Others reimburse all or part of the cost of programmes required specifically for business. Proper configuration and good usage practices must be monitored and enforced centrally, Aramark’s Raymond says, adding that regularly reinforced security awareness training also keeps secure data access fresh in employees’ minds.

Aramark’s Raymond says his company takes an alternative approach to device-centric mobile security administration. Workers use the mobile device purely as a viewer, leaving company data on Internet-connected (remove this) securely accessible  corporate servers that do the heavy computing, and not on the device itself.

The average cost of a corporate data breach incident hit US$7.2m in 2010, according to the Ponemon Institute, a consultancy. That’s more than double the average cost in 2005. Mr Raymond thinks that these figures ring true, given the number and types of breaches, adding that there are hundreds of small incidents each year and a few major ones that may hit US$25m–US$500m.

Before the introduction of Aramark's formal mobile policy ten months ago, people had no defined rules telling them what devices and operating systems were eligible to be connected to the company network. With the new policy, entailing role-based access and approved devices and configurations, the company knows precisely who has access and to which data. "It's no longer a wink and a nod," Raymond says. The higher the visibility of your program, the more likely it will be adhered to.

Mr. Raymond says that, although his business doesn't require it, separate environments for business and personal use are important, but if the policies surrounding them, or any other security measures, are not enforced, there will be issues. He says he is always surprised, when speaking with his peers, at how much of security in large organisations is just "smoke and mirrors". The words are there, the enforcement isn't.

The Three Stages of Employee Awareness...Where are you?

On this Thanksgiving Day 2012, as we make efforts to be aware of what we are grateful for, I can’t help but gravitate to other related aspects of awareness – employee awareness. Specially, employee awareness training and how it effective it is.

The other reason that this topic comes to mind is because I am currently developing a new privacy awareness curriculum for my company. Like every other developer of training, I am concerned about many things: the delivery, the topics, the accessibility of the material, the level of interest of the participant, the language I use, the vernacular, the jargon, and on and on.

I think training practitioners are at a point that it is no longer reasonable or practical to simply create a 90 minute training module packed with every law, regulation, procedure and policy statement about the topic in question, and rationally believe that it will have any impact on the employee. In fact, recent studies show that the shorter (15-20 minutes), more pointed training concepts that involve more interactivity with the viewer result in better retention of the material, and ostensibly, better overall compliance with your privacy, security or compliance objectives. I have also noticed that a trend towards ‘gamification’ of training is getting a lot of press for the way it mimics the participant involved in a video game. The idea is that this level of interaction engages the viewer on almost of sensory level, thus allowing them to fully embrace your curriculum, and ultimately your message.

I have a theory about employee awareness that involves three stages of awareness. It is my opinion that a majority of employees move through these three stages throughout their professional engagement and exposure to training in general. You can also see how, as a developer of awareness programs and as someone who is responsible for company privacy awareness overall, I am very interested in not only how employees move through these stages, but how quickly and efficiently.

The Three Stages of Employee Awareness

Stage 1 of Employee awareness is what I term the “I want to do the right thing” stage. Every employee (hopefully) comes to the organization with the best and most honest of intentions in mind. What they may lack is an understanding of what the right thing is – as your company defines it – and how to go about doing it.  This is where the onus is completely on the trainer to create a program that lays out the intentions of the curriculum in clear and unambiguous terms so that every level of employee throughout the organization walks away with the right message.

Stage 2 of Employee Awareness is what I call the “Is this the right thing?” stage. This level of awareness is where most employees in most companies are. The assumption is that training has been given already or that employees are somewhat aware of what they should or should not do as it relates to say, data privacy, and are conscious of some degree of best practices. This stage is also when employees are starting to exercise their knowledge and e-mail or call me with what they think is the proper way to protect or disclose data and what to just make sure it is correct. If your employees are reaching out to you before they act, then you know that your awareness campaigns and profile is starting to take root and pay dividends.

The last Stage of Employee Awareness is the “Employees just do the right thing” stage.  Since your staff now knows what is and is not the proper way to handle, process, share or store data, they no longer have to either wonder about it or ask you about it. What you have done to raise the visibility of privacy or data security awareness in your firm has now come full circle to bringing everyone up to the level of consciousness that you have. Not many companies are at this level of awareness utopia however. It takes a lot blood, toil, sweat and tears of employee engagement to get to this point, but it is possible – regardless of the industry or silo your company is in. And well worth striving for.

If your company is already in Stage 3 of Employee Awareness, then you have something extra to be thankful for this year.  ;-)

What If Privacy Polices Were As Easy To Read As IKEA Instructions?

I was building a wardrobe closet from IKEA the other day and I realized something remarkable after following the directions, page by page - and there must have been at least 25 pages of directions. Though the closet is over 9 feet tall and at least 8 feet wide, with hundreds of screws, washers, shelves, frames, tracks and bolts, I was able to easily follow the directions to a successful completion - and I am not very handy, let me say - without the directions ever posting a single word. Everything, and every page of instruction was a simple line drawing.

I began thinking about how other people with no privacy background, interest or expertise feel when they look at what we do in the privacy space. That is, how average users of websites and apps feel about the privacy policies that they come across or, god forbid, ever dare to read.  According to a recent study released by the digital branding firm Siegel+Gale, most users of Facebook and Google had fundamental gaps in understanding, even after reading the posted privacy policies, of what the websites were saying in those policies or what they did with customer information.  Think about what that says about the privacy profession and its ability to communicate a coherent message!!? Can you imagine any other industry in which its primary user base or target audience doesn't understand its products? Anyone you know buy a bicycle and not know how to ride it? Because of difficult to read and understand privacy policies, readers of those documents walk away from the policy with no more understanding of what is happening with their data then when they started. If that is the case, then you, as the writer of that policy, have failed your customer.

Years ago, the privacy role was taken by the General Counsel who was typically appointed the Chief Privacy Officer one day because she had written the privacy policy sometime before. It goes without saying that the document was probably a bog of legalese; a vague and deliberately obtuse read that only served to cover the company's metaphorical ass. Then, someone in the company heard that there was a Chief Security Officer in the building. Eureka! So now he should also in charge of security along with privacy. (They are the same things, no?). That worked out well for a while but then it was soon realized that the CISO's primary duty is to protect data so that no one gets to it. That didn't do the marketing folks any good, let alone customers who wanted control over their own data.

As time has elapsed, consumers matured, and our appreciation of the treasure trove that we call our database of customer and employee data begins to rise, I believe that the role of the privacy professional is now converging to a middle ground. The role is moving from the polar extremes it previously inhabited towards an individual with a skill set that is a confluence of three core proficiencies: first, an appreciation of the law, second, respect and understanding of security, and finally, a practitioners eye for the use of data and real world operational understanding of the business. When a privacy policy is written by someone with this kind of resume, an average user who reads it will know exactly what the company is doing with the data they collect and use. Maybe, someday, that privacy policy will be as easy to follow and understand as the directions for building an IKEA closet.

Privacy's Double-edged Sword - Protecting Good and Bad Guys

In our 'always on and connected world' there is certainly enough evidence of how the respect of privacy is a good thing. There are enough of my peers in the privacy space who have taken it as their God-given duty to protect us from ourselves, as if God spoke to them like He did to Abraham.Yet the tendency towards paternalism aside, and as much as the cry for more privacy protects us good citizens, it also  protects some bad guys as well.

In a the recent decision from Canada, the Supreme Court of Canada  indicated that employees may have a reasonable expectation of privacy for information that may reside on work-issued computers, at least where personal use is either permitted or reasonably expected. Sounds simple enough. But here is the nuance.

A high school teacher had a school-issued laptop in his possession that he was permitted to use the for incidental personal purposes as well . As a system administrator, he was also able and responsible for policing student use of their school-issued laptops, and could therefore access hard drives of student laptops.

The school had a robust Acceptable Use policy that stated, among other things, incidental personal use of laptop was allowed; teachers’ email correspondence was private, subject to certain conditions; all data and messages generated or handled by school hardware were the property of the school, and, finally, that users should not expect privacy in their files.

While an IT staff member was performing some routine maintenance on the teacher's machine, he found a folder on the laptop that contained nude and partially nude photographs of a female student . The technician told the school principal and the photographs were copied to a CD. The principal seized the laptop, and turned both the laptop and the CD over to the police. The teacher was then subsequently charged with possession of child pornography and unauthorized use of a computer.

The reason the Supreme Court interceded is because the police who reviewed the laptop, did so without a proper search warrant. They ruled that the teacher did have a reasonable expectation of privacy in his use of the laptop, as the school policy indicated that users were allowed some incidental use of the machine.

Though the Court did not rule specifically on the issue of how and if employers can monitor their employees and employees use of company or school owned equipment, the matter does highlight that the umbrella of privacy does protect both good guys and the bad guys from the same rainstorm. Though the teacher's behavior and activities indicate some deplorable and nefarious activities that are wholly inexcusable in any context, one must also recall that Lady Justice is most often depicted with a set of scales suspended from one hand, upon which she measures the strengths of a case's support and opposition. If you look closely, you will also notice that she is also often seen carrying a double-edged sword in her other hand, symbolizing the power of Reason and Justice, which may be wielded either for or against any party. Good or bad.

The Arms Race of Privacy Laws

This month Texas became the latest state to either introduce its own breach notification law, or modify its existing one. The Texas House Bill 300 is an update to the Texas breach law already on its books. The law is amongst the now 46+ disparate laws on the books that businesses in the U.S. must navigate and be expected to comply with if they do business in more than one state, or posses the information of a resident of more than one state. I imagine that this is the kind of convoluted (and expensive) business environment that companies in Europe had to deal with before the European Union codified most of their laws. 

A cursory reading of the Texas law's provisions makes it appear as though companies now have additional obligations in Texas. For example, the law states that you must train employees on Personal Health Information within 60 days of hire, rather than simply on an annual basis. (Damn your existing training regime that is done annually for administrative ease or convenience!) As well, if your company thought of yourself as only a business associate in Texas, well guess what? Voila! Even if you were simply acting as a 'business associate' for a client, this law now considers you a 'covered entity' under their definition.

 Lastly, the penalties under this law appear to be particularly egregious. The big difference here versus HITECH is that House Bill 300 can penalize a company everyday for each day they fail to notify patients of a privacy incident.

This precarious situation for large and small business alike is the Congress; failure to act in passing a national law, superseding every state law. When states get impatient for the Fed to act they take matters into their hands. Many times, especially in the case of privacy and security law, they do it with the best intentions. Unfortunately, we often get a morass of confusing and contradictory pronouncements that are either unbelievable overreaching in scope or just simply too complex and punitive for a small company to attempt to comply with. This 'arms race' of states passing their own laws sometimes results in laws so esoteric and narrow that it may lead a small company to just ignore, or rationalize that it is easier and cheaper to pay any fines associated with non-compliance than to try and comply with the law

.

And then sometimes you get laws that appear (at least to me) to be only knee-jerk reactions to high profile cultural events like texting while driving. Granted, this is a dangerous trend and equally dangerous activity that is a negative by-product of modern technology. It makes sense to not do it in practice, But to pass a law against prohibiting texting while driving is, to me, pure demagoguery. So, you can't text while driving, but you can still eat, drink coffee, change the stations on your radio, program your GPS sing, turn around the slap your kids, put on make-up, and on and on... or what about the recent phenomenon of companies asking employees for their Facebook passwords. I am not sure about your company, but since when did this become such a national epidemic, like SARS, or Swine Flu? Is this 1950 and employers are asking employees if they are now or have ever been a member of the Communist Party?  Sure, I believe it happens and it is wrong, but do we need to create and pass specific laws against it? Don't our legislators have anything better to worry about? 

Yes, all of these activities generate press and show citizens that their generally do-nothing members of Congress are actually doing something. (I like to recall of Hemingway's great line here: "Don't confuse motion with action."). But the outcome is just another law layered on top of all the other laws that companies, large and small, must deal with to be in compliance. The real ARMS race of nuclear arms proliferation ended between the U.S. and Soviet Union ended in the 1970's with the SALT I and II Talks. Maybe lives aren't at stake here as they were with ICBM missiles, but maybe we can convince Congress that the situation for privacy and security law compliance is dire enough to warrant a SALT talk for the prevent and further proliferation of these one-off, ad-hoc laws and end this arms race too.

Suddenly, The Ubiquity of Privacy (ready for its closeup)

 You know that experience you get when you buy a new brand of car - one that you had never paid much attention to -  then after you buy it, suddenly you seem to notice that same car everywhere like never before? Well, maybe only because I am in the privacy business, but it seem like now, as never before has privacy in the United States has taken the center stage in so many ways - both good and bad.

From the FTC to the White House to the European Union, many new formal and considered pronouncements are coming from very serious corners of the world. No longer are only policy wonks like me entertaining other wonks in on-line forums and privacy salons (our versions of Star Wars conventions), but serious space is being dedicated to topic of 'privacy.'

No longer is the topic of privacy relegated to serious mediums like Wired magazine or the New York Times, lots of main stream publications feature some article on privacy, usually the evaporation of it, examined in detail. The Europeans have long taken the matter of privacy as a very, very serious topic, and due to its history of abuse of data we understand why. But it might be taken too seriously, some say, as the need for personal privacy  may trump, tamper and stifle the innovation and creative spark that is the foundation of any entrepreneurial society.

Naturally, the prevalence of the stories of privacy are a direct of function of the use of smartphones, tablets, social media and the general trend of more openness and sharing of data in communities and via applications. What I am not so sure of, however, is the real importance and significance of privacy to average users of technology. I have seen studies and interviews of countless average consumers, of all ages, who profess that they care deeply about their privacy - both on and offline. Yet, words rarely reflect the reality. I can on the other hand quote just as many studies of similar users who practice not what they preach in the use of that same technology. A famous survey n 2004 of British commuters revealed that more than 70% of people would reveal their computer password in exchange for a bar of chocolate; and over a third of them gave it up without even needing a bribe. And how many more endless stories do we have to read about where when a database of passwords is hacked, it's shown that most people's passwords were as simplistic as "password," "1234567" or "abc123?"

Some argue that this realty reflects a failing not of the users of technology per se, but of the technology itself. Think about how many sites that require unique usernames and passwords. Some web sites want a password no longer that 7 characters; some passwords must be only numbers and letters; some passwords must be numbers, letters and special characters; some passwords must be at least 14 characters long; some passwords must be ....ahhhhhhhhhhhh!  It is true that there is really no easy-to-use, universal way to log-in securely to any and every site you use obviating the need for 25 different passwords of varying length and complexity. So naturally, people take the path of least resistance and create accounts and passwords that are easy to remember and use those same passwords across multiple sites, putting their security and privacy at risk in the process.

It is, however, a good thing though that we are least having this conversation about privacy and the value of it. The explosion of social media, especially amongst the young and portability of technology has been the proverbial gasoline for the fire. I don't think the pyre has fully gotten to the point of a 5 alarm blaze yet, but we will get there. And soon. This will happen and has to happen before we as individuals and collectively as a country start to take the idea of our privacy as seriously as the Europeans do. In 5 years, I predict that there will be a convergence to a perfect median point from where the United States is now on privacy and where Europe is now. That sweet spot will be the inflection point where both privacy of individuals is demanded and taken seriously by companies, and where the flag of privacy is still able to wave breezily in the winds of innovation and imagination. That is when privacy will be truly ready for its close-up, and we'll actually like what we see.