Doth Privacy Professionals protest too much?

If you didn't know any better and as a point of reference only considered recent pronouncements of what online social media sites search engines and mobile phone apps are doing with your data, you may just be frightened enough to go back to using smoke signal and carrier pigeons to communicate with the outside world.

There exists however a dichotomy of realities. On one hand, privacy professionals like me feel it is our God-given duty as the more informed of the two parties to relay and convey the risk and (apparently few) rewards of living in a digital world. (Just like you expect valid financial advice from your accountant; she knows more than you, you hope.) You can’t pick up any newspaper, magazine or online article without being threatened with identity Armageddon by the use of facebook, Google, Angry Birds, Hootsuite, Pandora, Yelp...and on and on and on. At what point do privacy experts stop being valued advisors and move toward simply being paternalistic and saving us from ourselves? Or worse: becoming crybabies?

We as users of technologies (me included) profess to care about our privacy, but the reality of the situation is that we generally do in practice the opposite of what we say. We have even given out our passwords and usernames to "researchers" for free chocolate. ISACA, a global information security association, recently published a survey that indicated 43% of people do not read the agreements on location-based apps before downloading them, and of those who do read the agreements, 25% believe these agreements are not clear about how location information is being used. (What is not really made clear in the statistics is how many of the users who read how their data is being used, still downloaded the app? More than 43%, I’ll bet.) Released late last week, the latest edition of the Angry Birds franchise was downloaded 10 million times in its first three days. How many people read the privacy policy, do you think? Every Apple iPhone update I have ever received on my phone has presented the policy and terms of use in no less than 60 pages.

It is probably the case that we have become desensitized to the news of our data being hacked, stolen or misused which has resulted in the inertia of most people to these events. When you are the recipient of a half-dozen of these "we lost a backup tape" or "a laptop was stolen" letters, and there is not an immediate 'sky is falling' event which follows, one becomes complacent; we start to ignore everything about the warnings, even when we should not. That state of being is called 'habituation.' According to www.animalbehavavioronline.com (how’s that for a source!), habituation is "an extremely simple form of learning, in which an animal, after a period of exposure to a stimulus, stops responding. In the nervous system, sensory systems may stop, after a while, sending signals to the brain in response to a continuously present or often-repeated stimulus."

Politicians even now feel the need to publically bully technology firms since it is easy work for them and it makes it seem like Washington is actually doing something. With approval rates for Congress at historic lows, politicians feel the need to get as much visibility as possible, even if it means digressing into areas about which they have no knowledge, expertise or clue. (I wonder - has every problem facing Congress already been solved that they now have to worry about what the iFart app does with my personal information?!)

The facts of the situation are this: use of facebook or Google is not mandatory (really, they're not!); you can still switch back to Friendster, Bing and MySpace if you'd like. Here's a corollary illustration. I recently had a bad experience with a car brand and dealer. When my lease came up for renewal, not only did I not purchase that car, but I did not and will not buy another car from that dealer. In fact, I won't even buy the same brand of car because that dealer is the only one for that brand in a 50 mile radius, so I would have to take my car to that dealer. So what did I do? Actually, what did I not do? I did not ask government to regulate or step in to review this lousy dealer, I voted with my feet and took my business elsewhere.

It is true in most professions around the world that we tend to create and discuss ideas only within our professional bubble; at best, instead of just talking about bacon for breakfast, you may move to turkey bacon. It is rare if the discussion ever moves to dim sum. The same ideas, solutions and concepts are debated by and for the same people. So when a person or people in your group doth protest too much, he or she may be really only doing so for the benefit (or entertainment) of just the same circle of colleagues he or she interacts with.

Consumer Privacy Rage Hits the Pundit Himself!

Really? Sorry. I know I sound like a 14 year-old but it's best I could come up with when I saw this request from an app on my iPhone. The application, Hipstamatic, is one my my favorites and one of the more innovative photo taking app in the Apple store, yet it represents a lot of what is at the core of privacy complaints that even non-privacy wonks can relate to and experience personally.

I was very disappointed to see the window below when I tried to use my Facebook credentials to sign in (never a good idea) to the Hipstamatic account log-on that I had forgotten.

You can see the requested credentials that the app is asking for. But the really shocker, and indicative of the very privacy issue that more and more consumers are starting to awake to and protest against, is the is in the highlighted section at the bottom and the perceived need for access to my data even when I'm not using the application!

Is there anything left to say but, Really? ('WTF?' was a non-starter. My boss might be reading this blog)

The Most Egregious (and refreshingly honest) Privacy Policy You May Ever Read

This is an actual Privacy Policy excerpted in in all of its full glory from the website, http://skipity.com, a Google-like search engine.

 

If nothing else, this policy should win an award for its 'emperor has no clothes' approach to privacy (or a lack thereof).

 

I would ask "How much worse is this approach of pure and unadulterated honesty in advertising, versus the usual unfair and deceptive practices we have seen with some of the most sophisticated and privacy savvy web companies in the world?  Read on and enjoy...

 

 

 

 

Privacy Policy

Sua sponte: Hereto within, both for consideration and exemplification in abeyance subject to adjudication pro se and terms whereto superseding justifies the underscore until res judicata thuslyrelieving ALL satisfactions. All parties hereby agree to wit habeas corpus.

We firmly believe that privacy both inconsequential and unimportant to you. If it were not, you probably would not have a Facebook, Twitter, or LinkedIn account: and you certainly wouldn't ever use a search engine like Google. If you're one of those tin-foil-hat wearing crazies that actually cares about privacy: stop using our services and get a life.

We agree with Mark Zuckerberg when he pithily opined "The age of Privacy is Over."

Our privacy policy is a reflection of this conviction. Therefore, to satisfy the absurd privacy requirements of various legal entities (and so you understand exactly where you stand with us) we are pleased to present our privacy policy:

1. We are the company that cares about your privacy. Specifically, while most other companies are concerned with protecting your privacy, we care about profiteering and violating it when expedient or useful.

2. You may think of using any of our programs or services as the privacy equivalent of living in a webcam fitted glass house under the unblinking eye of Big Brother: you have no privacy with us. If we can use any of your details to legally make a profit, we probably will.

3. We will track and log everything we can about all the dirty (and clean) things you do and like with cookies, GPS, secure connections and or whatever technology exists today or becomes available at any time in the future.

4. By using any of our services, you grant us permission to surgically implant a tracking microchip of our choosing in your body and sell all collected information to the highest bidder . . . and to all other bidders. You also agree to regular updates and reinstalls of said device entirely at our discretion for up to 50 years after the end of your natural life.

5. If the opportunity arises to sell or otherwise use this or any information, data or meta data about you or your world, we will jump at that opportunity like a pitbull on a fresh steak

6. Please email us to tell us some of your secrets. We may, at our sole discretion (or lack thereof), broadcast, reveal, sell, manipulate, or otherwise use these secrets, or any information we collect to our benefit whenever, wherever, and however we choose.

7. We are right now looking at you through your webcam. Do you always move your lips like that when you read? We also recorded what you were doing last week and are sending the video to (you know who). If the prior statements are not true, it's because in addition to everything else, we reserve the right to lie to you, and you agree to believe us and hold us harmless for any and all such lies. Furthermore, if we are not recording everything you're doing through your webcam, it's either because we haven't figured out how, you're just not that interesting, or both.

8. We are serious about all of the above. So don't go trying to sue us later with some nonsense like "I thought that was all satire." All your privacy are belong to us. We mean it.

9. Cookies: We like chocolate chip cookies. You agree to furnish any employee or associate of our company with fresh chocolate chip cookies upon request. That's the price of using our programs and or services (in addition to any other price we come up with).

10. Spam. You agree that nothing we do with the access and information you grant to us shall be called Spam: even if it is. We prefer the term "bacon", because . .. mmmmmmmm bacon.

Thats' it! So Go Ahead and try Skipity:
skipity

My 12 Privacy Resolutions for 2012

1. Unsubscribe from all e-mails and newsletters you don't read, never read anymore or never actively signed up for. Your e-mail address is just going to be sold to other marketers or mailing lists anyway so start to cut down on the clutter.

2. Update and strengthen your passwords that you use for critical, financial and other data heavy websites.

3. Stop updating everyone on your location via smartphone apps. No one really cares and you're just letting thieves know you are not home so they can rob you.

4. When putting mail in the mailbox for the Postman to pick up, don't lift the flag to indicate that there is mail in the box. The mailman will find it anyway. Leaving the flag up tells ID thieves that you have some mail that may contain some interesting personal data.

5. Pay all of your bills online. C'mon, it's 2012.

6. Stop using your debit card to make online or offline purchases, or buy gas; use a credit card only. Using a debit card gives a thief direct access to your checking account, making it difficult to prove fraud, and preventing you from taking advantage of consumer protection laws that most credit cards offer.

7. Do an exhaustive Google search on your self to see what information is out there so you can see what the blogosphere is saying about you, if anything.

8. Make sure the "Do not track" option is checked in your browser's setting.

9. If you haven't already, start to integrate the concept of 'privacy by design' into your business and/or IT development processes; don't try bolting it on once the process or application is complete and ready to be rolled out.

10. Formalize and publicize a social media policy within your company so everyone knows what the rules are.

11. Formalize and publicize your position on consumerized IT within your company, again, so everyone knows what the rules are.

12. Finally realize that there is no such thing as 'free' on the internet. No free iPads or dinner coupons to Cheesecake factory, or trips to Disney World. Stop clicking on those offers or accepting the links on Facebook. And no, you are not really the 1,000,000th visitor(!!!) to a site and have not really won anything. Pass it on.

'Security Through Obscurity' shows lack of maturity

My last post for 2011 will be about a favorite and common topic amongst security professionals: the art and technique of ‘security through obscurity.’  Anyone and everyone in the privacy and security fields knows about this and I am sure that 95% of the readers have knowingly used this approach to protect data and other assets (the other 5% are probably lying).

Simply put, the ‘security through obscurity’ control, if you will, is making some weakness so discreet, subtle or inconspicuous that you are hoping that a user or bad guys does not find the loophole or back door, intentionally or otherwise. I am not talking here about unanticipated ways to defeat your explicit and obvious controls that the developers or programmers could have never contemplated; I am talking about the “ignore that man behind the curtain” ones. Exactly the ones that little Toto sniffing under a curtain uncovers….Like the empty police car on the side of the highway. Or like stating that your password complexity requirements are 9 characters that must consist of 1 lower case letter, 1 number, 1 special character and 1 upper case letter. And then not enforcing the policy.

I got to thinking about this when I recently thought about a line in a Gnarls Barkley song, “Smiley Faces.” The line was “Was knowing your weakness what made you strong?” Now I have asserted in the past that a secret is only a secret if it remains between a minimal amount of people; when the world knows it, it becomes as useful, and valuable as yesterday’s newspaper. And if you would make (most) private data held by governmental institutions and corporations easily available to any one, acquiring it would mean nothing since it cannot be readily misused, like it can be today. In the security context, knowing that the weakness exists in your application/program/website is the strength you need to resolve the fault proactively. And in the future, you can build in ‘privacy by design’ rather than trying to bolt on security after the fact. Always an ugly outcome, both aesthetically and from a user experience.

My point here is that relying on the ‘security through obscurity’ approach, to any degree, for information protection shows an overall lack of sophistication and maturity in your security process and program. I realize that many companies take this approach because it is cheap and fast to deploy – building in proper controls takes time and money. Ultimately, though you will have two choices when you decide to take a path toward security: you can either pay now or pay later. You pay now by making the investment in proper coding controls and preventative measures; you pay later when someone finds the weakness/hole in your program, application or website and posts it on YouTube and then you have re-engineer the code all over again, making double work. In my opinion, paying now lays the groundwork in your organization for both a respect for security and privacy considerations as a corporate value, and for a discipline of doing the right thing right now.

Make a New Year’s resolution then to avoid the temptation of at least one venial sin this year as you think about your security program and policies in 2012– the sin of sloth.

Happy New Year!

Ignoring Risk management is the riskiest act of all

I always say that everything comes down to risk management. From whether you fly or drive to your vacation spot, to whether you have one more beer at the party, to what stocks you invest in within your 401(K), it all comes down to decisions about risk. Sometimes the decisions are monumental, but mostly they’re insignificant. Most of the time we can ignore, or accept the risks we take on daily with no impact, other times we see the very real repercussions.

If there were ever a poster child for what happens when you blatantly ignore risk management, it would have to be Jon Corzine. The former CEO of MF Global, and former Governor of New Jersey, and former Chairman of Goldman Sachs – whom you would think would understand essentials of risk management as well as anyone on this planet, apparently routinely ignored the pleadings of his Chief Risk Officer about the tenuous position of the firms investment positions.

Tragically, Mr. Corzine not only ignored what his Risk Officer was telling him, he undermined him by complaining to others in the company about the “dour attitude and persistence” (?!?!) of the Risk Officer.

No surprise that the Chief Risk Officer was let go in March of this year.

The act of ignoring risk management as the riskiest possible action is a tautogical overstatement of mythical proportions.  It is true that America's culture, more than any other in the world, forgives failure, tolerates risks, and embraces uncertainty in almost any endeavor. In fact the more brazen the better. Think of the Moon landing, or Evel Knieval.

Yet what is it about a CEO who arguable is a brilliant individual, with undeniable talent, insight and an ability to lead organizations successfully that allowed him to take on risks that were not commensurate with his company’s, or at least his Chief Risk Officer’s risk appetite? Your CRO and General Counsel should be the two people with whom you get full agreement on every significant decision that you as a CEO makes. Undermining your CRO about his warnings on your risky behavior is like telling everyone your cardiologist is a ‘Debbie Downer’ because he diagnosed you with lung cancer.

I think our general nonchalance, or maybe disdain for risk management in general stems from what we as lay people interpret as its accessibility. Everyone has heard or has used the question “What’s the risk?” Yet how many people really under stand true risk management principles? Inherent risk? Residual risk? Really? Do you know what it means? (Ultimately, I blame Parker Bros. for creating the board game, Risk, which we all played as kids. Now everyone thinks they understand, in addition to world domination, ‘risk.’)

You rarely hear people throwing the term “quantum physics” around as cavalierly as we do with the phrase “risk management.” Many of us in the Corporate world think we understand what risk management is like many homeowners think they under electricity or plumbing. Sure, you can change a faucet out or wire a ceiling fan, but would you as untrained homeowner really think that it is worth the risk (the word, again) to rewire the circuit panel that powers your whole house? Most rational individuals don’t think it is worth the tradeoff of saving the $300 it costs to have the electrician come and do the job right, versus the possibility of burning your own house down. A tough sell to the wife under any circumstances.

Just like I don’t expect my dentist to tell me about best practices in privacy, I don’t pretend I know the best way to extract a bicuspid either. So, please, begin to give risk management its due as a genuine discipline practiced by professionals who have different and specialized skills that you don’t have. Don Corleone needed a professional risk manager (Consigliere, Tom Hayden) and so do you, I’ll bet. Don’t go it alone. It’s not worth the risk.

Ready for its closeup: Privacy in the Board Room

When (and if) you ever think of or hear the term “Board of Directors” you probably envision of panel of crusty, old-timers sitting around a long board room table day-dreaming, doodling, or dozing off while a CEO goes through yet another Death by PowerPoint presentation. If you think those people are there just to enhance their resume and collect their stipend, think again. It’s whole new world for Board members these days.

The visibility and implied responsibility that Board members have in today’s business environment is as substantial as it has ever been. No longer can Board members be asleep at the wheel while the CEO and/or the company explore every whim or hare-brained idea they want. Starting somewhere around the implosion of Enron back in 2001, investors and other interested observers began asking in earnest “Where was the Board in all of this?”

As recently as late 2010, the Board of Hewlett-Packard fired CEO Mark Hurd in a very public way claiming some impropriety with a female contractor and his expense reports. Even during the most recent scandal at Penn State, the media began questioning why the college’s Board of Trustee’s did not raise a red flag or call into question the very questionable actions of a rogue assistant coach. So why has this group of people who had forever been seen by many as rubber stamps now suddenly, and finally, taking on task of ‘guardians of the corporate reputation’?

The Board of Directors or Trustees acts in trust for the shareholders and employees of a company or taxpayers and students in the case of a school. They are tasked with ensuring that integrity of action and quality of product is delivered by the institution that they are with which they are engaged. It is a duty that should not be taken lightly; and appears as though it is taken more seriously now that ever.

Good thing too. In addition to overseeing their respective institutions, one duty that governing boards must address is the various competing priorities of mission, vision, growth and the mundane administrative. One contemporary matter that will be occupying the board’s agenda more and more is that of privacy - privacy of customer’s data, privacy of driver’s location, privacy of users preferences, privacy of subscriber’s habits, and on and on.

Privacy must be a board level topic. Why? Because privacy and its first cousin, security, are not just compliance issues anymore; they are business issues. Business issues that deserve a seat at the table just like innovation, marketing, sales and design have had for years. A company with a core corporate value of privacy has a distinct competitive advantage over one that treats its customer’s privacy cavalierly. Witness two of the year’s highest profile cases of consumer backlash against a company’s apparent disregard of its customer’s privacy: Google’s covert use of collecting Gmail accounts when it rolled out its Social Circles product in May this year, and Facebook censure by the FTC for a host of infractions, all centered around their indifference to user’s privacy. Both companies must now submit to privacy audits for the next 20 years, said the FTC. Facebook took its act of contrition serious enough to go out and hire not one, but two (!) Privacy Officers in response to the action.

As a practitioner of the art, I take it as my responsibility to advance and elevate the issue of privacy all day and every day as far up the chain as I can, and provide visibility to current and pending privacy issues to senior management and ultimately Board if and when they need it. Like so many other topics this year that got their time in the sun (the Arab Spring, WikiLeaks, Occupy Wall Street, to name a few) it is the right time for another, quieter, more discreet but no less revolutionary movement: to finally bring privacy & security from the back room to the board room.