Sunday, June 3, 2012

Dissecting modern privacy concerns

From my recent interview with Help Net Security: http://www.net-security.org/article.php?id=1721&p=1

Based on your experience, what are the critical issues in understanding the very nature of identity in a society actively building bridges between the real and digital world? How can we share more, connect with others, and protect our privacy at the same time?

That is the great question of our time for privacy professionals, isn’t it? And the whole explosion of social media has thrust the issue of ‘identity’ into the spotlight for us to deal with, and it has come upon us with very little advance notice to allow us time for proper preparation. 

From what I’ve seen, there exists in both the online and offline worlds a dichotomy between proper authentication of an individual – that is, the individual is who they say they are – and the contrary position of oversharing of information by individuals so that we know too much about them, to some detriment. Obviously, fraud and identity theft is the result of improper authentication of a person to whom services are provided (i.e. too little information).


Embarrassing revelations to both individuals and corporations are the result of too much transparency. The problem of authentication is essentially the function of requiring too little information to validate the credentials of the person asserting their identity. At some point, institutions will have to realize that there should be no comfortable level of acceptable losses and raise the bar on proof of ‘who you are is who you say you are.’ Right now, for example, you can walk into any big box store and open an instant credit account with only a driver’s license as proof of identity. It would be one thing if driver’s licenses were difficult to reproduce, but most of know it’s as easy as creating a business card these days.

On the other side of the fence, is the critical issue of too much openness and ability to share one’s life with little notion as to the consequences. I think ultimately we will have to create some kind of firewall between the real life you live and have, and the online version of that presence – some kind of official, vetted and legally binding avatar. Many people need and should have that defensive layer between the two for many reasons: lack of prudence, lack of sophistication, inability to self-censor, etc.



Technology will have and I am confident can design that perfect solution that strides the median strip between proper identification and allowing some degree of privacy while online. The notion of privacy as a discrete discipline and valuable asset to one’s existence has only recently come into popular consciousness, so it may be a little while before we catch up with much faster technologies that encourage sharing and social interaction (all the while attempting to monetize the behavior!).

The number of social networking users is growing exponentially, with most of them unaware of the privacy and security implications of the personal data they make available online. What type of problems do you expect careless users will have in the future? Are we moving towards a society where there is no privacy at all?

I think we have already seen the universe of reasonably untoward outcomes of people oversharing. Just ask Anthony Weiner. He was, for example, a well liked and respected New York politician with excellent long-term prospects in his party. After one imprudent series of actions, his political career, if not over, has been severely damaged. And yet, for every one high profile Anthony Weiner, there are 10,000 little people who have irreparably damaged their own lives for what they posted on Facebook, Twitter and YouTube.

I think we will always have a state of privacy, or at least a concept of what is acceptable by ‘normal’ society. Until the time when every behavior done behind closed doors becomes commonplace, there will always be a place and appreciation of the idea of privacy. Having said that, I do not think we will ever return to the halcyon days of privacy that, for instance, U.S. Presidents, like Franklin Roosevelt and John Kennedy enjoyed. In this day and age of ubiquitous technology and 24–hour a day cable news programs, privacy and secrecy are the first casualties. 



I do believe, however, that we will soon experience a swing of the pendulum to the other side, as we typically do in most matters that we as a society decide we have taken too far, too fast in one direction. In near future, as technology begins to allow us to more perfectly choose how we present ourselves online and to the degree we are most comfortable, we’ll settle on a equilibrium. I would say we are least 3 years away from that inflection point.

The over-sharing phenomenon fueled by Facebook users drives cybercriminals to innovate. One of the latest growing trends is automated social engineering which enables attackers to easily mass profile a lot of people. Should the companies running social networking sites make sure their users understand the privacy implications of their actions even though it hurts their bottom line?

Absolutely. If behooves any company offering a service to build in and promote privacy as a feature and component of the delivered experience. Without an expectation of privacy, customer trust will not follow, and the technology will ultimately not advance. It would be incredibly short-sighted of a company to ignore the 800 pound gorilla of privacy consideration in the room while trying only to monetize the user data that it is entrusted with.



In fact, any company that takes that path has already written its obituary. Yet, I can understand why some companies are not at this point yet. We as consumers constantly say, when polled, that we value our online privacy and take proper precautions to protect yet. Yet, when given the chance to get a free chocolate bar outside of a grocery store for the small price of handing over our username and password to an e-mail account, we do so in very large numbers.

I sense, though the tide is slowly turning. It is only now beginning to be realized by companies that they can actually use their positive privacy posture as a competitive advantage versus their competitors. It won’t be long before consumers and customers also begin to evaluate the worth of doing business with a brand by the degree to which that company protects or values the privacy and protection of the data in which its customer base hands over. Consumers are quickly growing disenchanted with the model of a free service at the cost of unlimited and unrestricted use of their data. I think fairly soon the ‘no free lunch’ mantra will be realized as it originally meant to be.



You are one of the keynote speakers at Data Protection & Privacy Law Compliance. Can you tell our readers more about the event?

The Data Protection & Privacy Law Compliance conference is going to be a great event for both experts in the field who need to walk away with one or two new ideas, as well as other professionals who have recently entered the privacy and data protection field. I am very excited to be part of it. One of the great features of the event is the roster of top-tier talent that will be speaking. Rarely do you get a concentration of experts in one event that also features an expansive array of very topical issues.

Looking over the proposed agenda, I noticed that there are offerings that are very focused on a particular topic – like my topic on vendor management & oversight – and also broad topics like privacy issues that arise from the use of social media. Without a doubt there will be something for everyone.

No comments:

Post a Comment