In our 'always on and connected world' there is certainly enough evidence of how the respect of privacy is a good thing. There are enough of my peers in the privacy space who have taken it as their God-given duty to protect us from ourselves, as if God spoke to them like He did to Abraham.Yet the tendency towards paternalism aside, and as much as the cry for more privacy protects us good citizens, it also protects some bad guys as well.
In a the recent decision from Canada, the Supreme Court of Canada indicated that
employees may have a reasonable expectation of privacy for information that may reside on work-issued computers, at least where personal use is either permitted or
reasonably expected. Sounds simple enough. But here is the nuance.
A high school teacher had a school-issued laptop in his possession that he was permitted to use the for incidental
personal purposes as well . As a system administrator, he was also able and responsible for policing
student use of their school-issued laptops, and could therefore access hard drives of student laptops.
The school had a robust Acceptable Use policy that stated, among other things, incidental personal use of laptop was allowed; teachers’ email correspondence was private, subject to
certain conditions; all data and messages generated or
handled by school hardware were the property of the school, and, finally, that users should not expect privacy in their files.
While an IT staff member was performing some routine maintenance on the teacher's machine, he found a folder on the laptop that contained nude and partially nude photographs of a
female student . The technician told the school principal and
the photographs were copied to a CD. The principal seized the laptop, and turned both the laptop and the CD over to the police. The teacher was then subsequently charged with possession of child
pornography and unauthorized use of a computer.
The reason the Supreme Court interceded is because the police who reviewed the laptop, did so without a proper search warrant. They ruled that the teacher did have a reasonable expectation of privacy in his use of the laptop, as the school policy indicated that users were allowed some incidental use of the machine.
Though the Court did not rule specifically on the issue of how and if employers can monitor their employees and employees use of company or school owned equipment, the matter does highlight that the umbrella of privacy does protect both good guys and the bad guys from the same rainstorm. Though the teacher's behavior and activities indicate some deplorable and nefarious activities that are wholly inexcusable in any context, one must also recall that Lady Justice is most often depicted with a set of scales suspended from one hand, upon which she measures the strengths of a case's support
and opposition. If you look closely, you will also notice that she is also often seen carrying a double-edged sword in
her other hand, symbolizing the power of Reason and Justice, which may be
wielded either for or against any party. Good or bad.
Monday, October 29, 2012
Sunday, September 30, 2012
The Arms Race of Privacy Laws
This month
Texas became the latest state to either introduce its own breach notification
law, or modify its existing one. The Texas House
Bill 300 is an update to the Texas breach law already on its books. The law is
amongst the now 46+ disparate laws on the books that businesses in the U.S.
must navigate and be expected to comply with if they do business in more than one
state, or posses the information of a resident of more than one state. I imagine
that this is the kind of convoluted (and expensive) business environment that
companies in Europe had to deal with before the European Union codified most of
their laws.
A
cursory reading of the Texas law's provisions makes it appear as though companies
now have additional obligations in Texas. For example, the law states that you
must train employees on Personal Health Information within 60 days of hire,
rather than simply on an annual basis. (Damn your existing training regime that
is done annually for administrative ease or convenience!) As well, if your company
thought of yourself as only a business associate in Texas, well guess what?
Voila! Even if you were simply acting as a 'business associate' for a client,
this law now considers you a 'covered entity' under their definition.
Lastly,
the penalties under this law appear to be particularly egregious. The big
difference here versus HITECH is that House Bill 300 can penalize a company
everyday for each day they fail to notify patients of a privacy incident.
This
precarious situation for large and small business alike is the Congress;
failure to act in passing a national law, superseding every state law. When
states get impatient for the Fed to act they take matters into their hands. Many
times, especially in the case of privacy and security law, they do it with the
best intentions. Unfortunately, we often get a morass of confusing and
contradictory pronouncements that are either unbelievable overreaching in scope
or just simply too complex and punitive for a small company to attempt to
comply with. This 'arms race' of states passing their own laws sometimes results
in laws so esoteric and narrow that it may lead a small company to just ignore,
or rationalize that it is easier and cheaper to pay any fines associated with
non-compliance than to try and comply with the law
.
And
then sometimes you get laws that appear (at least to me) to be only knee-jerk
reactions to high profile cultural events like texting while driving. Granted,
this is a dangerous trend and equally dangerous activity that is a negative by-product
of modern technology. It makes sense to not do it in practice, But to pass a
law against prohibiting texting while driving is, to me, pure demagoguery. So,
you can't text while driving, but you can still eat, drink coffee, change the stations
on your radio, program your GPS sing, turn around the slap your kids, put on
make-up, and on and on... or what about the recent phenomenon of companies
asking employees for their Facebook passwords. I am not sure about your company,
but since when did this become such a national epidemic, like SARS, or Swine
Flu? Is this 1950 and employers are asking employees if they are now or have
ever been a member of the Communist Party?
Sure, I believe it happens and it is wrong, but do we need to create and
pass specific
laws against it? Don't our legislators have anything better to worry about?
Yes,
all of these activities generate press and show citizens that their generally do-nothing
members of Congress are actually doing something. (I like to recall of Hemingway's
great line here: "Don't confuse motion with action."). But the
outcome is just another law layered on top of all the other laws that companies,
large and small, must deal with to be in compliance. The real ARMS race of nuclear
arms proliferation ended between the U.S. and Soviet Union ended in the 1970's
with the SALT I and II Talks. Maybe lives aren't at stake here as they were
with ICBM missiles, but maybe we can convince Congress that the situation for privacy
and security law compliance is dire enough to warrant a SALT talk for the
prevent and further proliferation of these one-off, ad-hoc laws and end this
arms race too.
Sunday, August 12, 2012
Suddenly, The Ubiquity of Privacy (ready for its closeup)
You know that experience you get when you buy a new brand of car - one that you had
never paid much attention to - then
after you buy it, suddenly you seem to notice that same car everywhere like never
before? Well, maybe only because I am in the privacy business, but it
seem like now, as never before has privacy in the United States has taken the
center stage in so many ways - both good and bad.
From the FTC to the White House to the European Union, many new formal
and considered pronouncements are coming from very serious corners of the
world. No longer are only policy wonks like me entertaining other wonks in on-line
forums and privacy salons (our versions of Star Wars conventions), but serious space
is being dedicated to topic of 'privacy.'
No longer is the topic of privacy relegated to serious mediums like
Wired magazine or the New York Times, lots of main stream publications feature some
article on privacy, usually the evaporation of it, examined in detail. The
Europeans have long taken the matter of privacy as a very, very serious topic,
and due to its history of abuse of data we understand why. But it might be
taken too seriously, some say, as the need for personal privacy may trump, tamper and stifle the innovation and
creative spark that is the foundation of any entrepreneurial society.
Naturally, the prevalence of the stories of privacy are a direct
of function of the use of smartphones, tablets, social media and the general
trend of more openness and sharing of data in communities and via applications.
What I am not so sure of, however, is the real importance and significance of
privacy to average users of technology. I have seen studies and interviews of
countless average consumers, of all ages, who profess that they care deeply
about their privacy - both on and offline. Yet, words rarely reflect the
reality. I can on the other hand quote just as many studies of similar users
who practice not what they preach in the use of that same technology. A famous survey n 2004 of British commuters revealed that more than 70% of people
would reveal their computer password in exchange for a bar of chocolate; and
over a third of them gave it up without even needing a bribe. And how many more
endless stories do we have to read about where when a database of passwords is
hacked, it's shown that most people's passwords were as simplistic as "password,"
"1234567" or "abc123?"
Some argue that this realty reflects a failing not
of the users of technology per se, but of the technology itself. Think about
how many sites that require unique usernames and passwords. Some web sites want
a password no longer that 7 characters; some passwords must be only numbers and
letters; some passwords must be numbers, letters and special characters; some
passwords must be at least 14 characters long; some passwords must be ....ahhhhhhhhhhhh! It is true that there is really no
easy-to-use, universal way to log-in securely to any and every site you use
obviating the need for 25 different passwords of varying length and complexity.
So naturally, people take the path of least resistance and create accounts and
passwords that are easy to remember and use those same passwords across
multiple sites, putting their security and privacy at risk in the process.
It
is, however, a good thing though that we are least having this conversation
about privacy and the value of it. The explosion of social media, especially amongst
the young and portability of technology has been the proverbial gasoline for
the fire. I don't think the pyre has fully gotten to the point of a 5 alarm blaze
yet, but we will get there. And soon. This will happen and has to happen before
we as individuals and collectively as a country start to take the idea of our
privacy as seriously as the Europeans do. In 5 years, I predict that there will
be a convergence to a perfect median point from where the United States is now on
privacy and where Europe is now. That sweet spot will be the inflection point
where both privacy of individuals is demanded and taken seriously by companies,
and where the flag of privacy is still able to wave breezily in the winds of innovation
and imagination. That is when privacy will be truly ready for its close-up, and
we'll actually like what we see.
Sunday, June 3, 2012
Dissecting modern privacy concerns
From my recent interview with Help Net Security: http://www.net-security.org/article.php?id=1721&p=1
Based on your experience, what are the critical issues in understanding the very nature of identity in a society actively building bridges between the real and digital world? How can we share more, connect with others, and protect our privacy at the same time?
That is the great question of our time for privacy professionals, isn’t it? And the whole explosion of social media has thrust the issue of ‘identity’ into the spotlight for us to deal with, and it has come upon us with very little advance notice to allow us time for proper preparation.
From what I’ve seen, there exists in both the online and offline worlds a dichotomy between proper authentication of an individual – that is, the individual is who they say they are – and the contrary position of oversharing of information by individuals so that we know too much about them, to some detriment. Obviously, fraud and identity theft is the result of improper authentication of a person to whom services are provided (i.e. too little information).
Embarrassing revelations to both individuals and corporations are the result of too much transparency. The problem of authentication is essentially the function of requiring too little information to validate the credentials of the person asserting their identity. At some point, institutions will have to realize that there should be no comfortable level of acceptable losses and raise the bar on proof of ‘who you are is who you say you are.’ Right now, for example, you can walk into any big box store and open an instant credit account with only a driver’s license as proof of identity. It would be one thing if driver’s licenses were difficult to reproduce, but most of know it’s as easy as creating a business card these days.
On the other side of the fence, is the critical issue of too much openness and ability to share one’s life with little notion as to the consequences. I think ultimately we will have to create some kind of firewall between the real life you live and have, and the online version of that presence – some kind of official, vetted and legally binding avatar. Many people need and should have that defensive layer between the two for many reasons: lack of prudence, lack of sophistication, inability to self-censor, etc.
Technology will have and I am confident can design that perfect solution that strides the median strip between proper identification and allowing some degree of privacy while online. The notion of privacy as a discrete discipline and valuable asset to one’s existence has only recently come into popular consciousness, so it may be a little while before we catch up with much faster technologies that encourage sharing and social interaction (all the while attempting to monetize the behavior!).
The number of social networking users is growing exponentially, with most of them unaware of the privacy and security implications of the personal data they make available online. What type of problems do you expect careless users will have in the future? Are we moving towards a society where there is no privacy at all?
I think we have already seen the universe of reasonably untoward outcomes of people oversharing. Just ask Anthony Weiner. He was, for example, a well liked and respected New York politician with excellent long-term prospects in his party. After one imprudent series of actions, his political career, if not over, has been severely damaged. And yet, for every one high profile Anthony Weiner, there are 10,000 little people who have irreparably damaged their own lives for what they posted on Facebook, Twitter and YouTube.
I think we will always have a state of privacy, or at least a concept of what is acceptable by ‘normal’ society. Until the time when every behavior done behind closed doors becomes commonplace, there will always be a place and appreciation of the idea of privacy. Having said that, I do not think we will ever return to the halcyon days of privacy that, for instance, U.S. Presidents, like Franklin Roosevelt and John Kennedy enjoyed. In this day and age of ubiquitous technology and 24–hour a day cable news programs, privacy and secrecy are the first casualties.
I do believe, however, that we will soon experience a swing of the pendulum to the other side, as we typically do in most matters that we as a society decide we have taken too far, too fast in one direction. In near future, as technology begins to allow us to more perfectly choose how we present ourselves online and to the degree we are most comfortable, we’ll settle on a equilibrium. I would say we are least 3 years away from that inflection point.
The over-sharing phenomenon fueled by Facebook users drives cybercriminals to innovate. One of the latest growing trends is automated social engineering which enables attackers to easily mass profile a lot of people. Should the companies running social networking sites make sure their users understand the privacy implications of their actions even though it hurts their bottom line?
Absolutely. If behooves any company offering a service to build in and promote privacy as a feature and component of the delivered experience. Without an expectation of privacy, customer trust will not follow, and the technology will ultimately not advance. It would be incredibly short-sighted of a company to ignore the 800 pound gorilla of privacy consideration in the room while trying only to monetize the user data that it is entrusted with.
In fact, any company that takes that path has already written its obituary. Yet, I can understand why some companies are not at this point yet. We as consumers constantly say, when polled, that we value our online privacy and take proper precautions to protect yet. Yet, when given the chance to get a free chocolate bar outside of a grocery store for the small price of handing over our username and password to an e-mail account, we do so in very large numbers.
I sense, though the tide is slowly turning. It is only now beginning to be realized by companies that they can actually use their positive privacy posture as a competitive advantage versus their competitors. It won’t be long before consumers and customers also begin to evaluate the worth of doing business with a brand by the degree to which that company protects or values the privacy and protection of the data in which its customer base hands over. Consumers are quickly growing disenchanted with the model of a free service at the cost of unlimited and unrestricted use of their data. I think fairly soon the ‘no free lunch’ mantra will be realized as it originally meant to be.
You are one of the keynote speakers at Data Protection & Privacy Law Compliance. Can you tell our readers more about the event?
The Data Protection & Privacy Law Compliance conference is going to be a great event for both experts in the field who need to walk away with one or two new ideas, as well as other professionals who have recently entered the privacy and data protection field. I am very excited to be part of it. One of the great features of the event is the roster of top-tier talent that will be speaking. Rarely do you get a concentration of experts in one event that also features an expansive array of very topical issues.
Looking over the proposed agenda, I noticed that there are offerings that are very focused on a particular topic – like my topic on vendor management & oversight – and also broad topics like privacy issues that arise from the use of social media. Without a doubt there will be something for everyone.
Based on your experience, what are the critical issues in understanding the very nature of identity in a society actively building bridges between the real and digital world? How can we share more, connect with others, and protect our privacy at the same time?
That is the great question of our time for privacy professionals, isn’t it? And the whole explosion of social media has thrust the issue of ‘identity’ into the spotlight for us to deal with, and it has come upon us with very little advance notice to allow us time for proper preparation.
From what I’ve seen, there exists in both the online and offline worlds a dichotomy between proper authentication of an individual – that is, the individual is who they say they are – and the contrary position of oversharing of information by individuals so that we know too much about them, to some detriment. Obviously, fraud and identity theft is the result of improper authentication of a person to whom services are provided (i.e. too little information).
Embarrassing revelations to both individuals and corporations are the result of too much transparency. The problem of authentication is essentially the function of requiring too little information to validate the credentials of the person asserting their identity. At some point, institutions will have to realize that there should be no comfortable level of acceptable losses and raise the bar on proof of ‘who you are is who you say you are.’ Right now, for example, you can walk into any big box store and open an instant credit account with only a driver’s license as proof of identity. It would be one thing if driver’s licenses were difficult to reproduce, but most of know it’s as easy as creating a business card these days.
On the other side of the fence, is the critical issue of too much openness and ability to share one’s life with little notion as to the consequences. I think ultimately we will have to create some kind of firewall between the real life you live and have, and the online version of that presence – some kind of official, vetted and legally binding avatar. Many people need and should have that defensive layer between the two for many reasons: lack of prudence, lack of sophistication, inability to self-censor, etc.
Technology will have and I am confident can design that perfect solution that strides the median strip between proper identification and allowing some degree of privacy while online. The notion of privacy as a discrete discipline and valuable asset to one’s existence has only recently come into popular consciousness, so it may be a little while before we catch up with much faster technologies that encourage sharing and social interaction (all the while attempting to monetize the behavior!).
The number of social networking users is growing exponentially, with most of them unaware of the privacy and security implications of the personal data they make available online. What type of problems do you expect careless users will have in the future? Are we moving towards a society where there is no privacy at all?
I think we have already seen the universe of reasonably untoward outcomes of people oversharing. Just ask Anthony Weiner. He was, for example, a well liked and respected New York politician with excellent long-term prospects in his party. After one imprudent series of actions, his political career, if not over, has been severely damaged. And yet, for every one high profile Anthony Weiner, there are 10,000 little people who have irreparably damaged their own lives for what they posted on Facebook, Twitter and YouTube.
I think we will always have a state of privacy, or at least a concept of what is acceptable by ‘normal’ society. Until the time when every behavior done behind closed doors becomes commonplace, there will always be a place and appreciation of the idea of privacy. Having said that, I do not think we will ever return to the halcyon days of privacy that, for instance, U.S. Presidents, like Franklin Roosevelt and John Kennedy enjoyed. In this day and age of ubiquitous technology and 24–hour a day cable news programs, privacy and secrecy are the first casualties.
I do believe, however, that we will soon experience a swing of the pendulum to the other side, as we typically do in most matters that we as a society decide we have taken too far, too fast in one direction. In near future, as technology begins to allow us to more perfectly choose how we present ourselves online and to the degree we are most comfortable, we’ll settle on a equilibrium. I would say we are least 3 years away from that inflection point.
The over-sharing phenomenon fueled by Facebook users drives cybercriminals to innovate. One of the latest growing trends is automated social engineering which enables attackers to easily mass profile a lot of people. Should the companies running social networking sites make sure their users understand the privacy implications of their actions even though it hurts their bottom line?
Absolutely. If behooves any company offering a service to build in and promote privacy as a feature and component of the delivered experience. Without an expectation of privacy, customer trust will not follow, and the technology will ultimately not advance. It would be incredibly short-sighted of a company to ignore the 800 pound gorilla of privacy consideration in the room while trying only to monetize the user data that it is entrusted with.
In fact, any company that takes that path has already written its obituary. Yet, I can understand why some companies are not at this point yet. We as consumers constantly say, when polled, that we value our online privacy and take proper precautions to protect yet. Yet, when given the chance to get a free chocolate bar outside of a grocery store for the small price of handing over our username and password to an e-mail account, we do so in very large numbers.
I sense, though the tide is slowly turning. It is only now beginning to be realized by companies that they can actually use their positive privacy posture as a competitive advantage versus their competitors. It won’t be long before consumers and customers also begin to evaluate the worth of doing business with a brand by the degree to which that company protects or values the privacy and protection of the data in which its customer base hands over. Consumers are quickly growing disenchanted with the model of a free service at the cost of unlimited and unrestricted use of their data. I think fairly soon the ‘no free lunch’ mantra will be realized as it originally meant to be.
You are one of the keynote speakers at Data Protection & Privacy Law Compliance. Can you tell our readers more about the event?
The Data Protection & Privacy Law Compliance conference is going to be a great event for both experts in the field who need to walk away with one or two new ideas, as well as other professionals who have recently entered the privacy and data protection field. I am very excited to be part of it. One of the great features of the event is the roster of top-tier talent that will be speaking. Rarely do you get a concentration of experts in one event that also features an expansive array of very topical issues.
Looking over the proposed agenda, I noticed that there are offerings that are very focused on a particular topic – like my topic on vendor management & oversight – and also broad topics like privacy issues that arise from the use of social media. Without a doubt there will be something for everyone.
Wednesday, May 23, 2012
Have you hugged your fears today?
I was in a conversation the other day with many of my peers
at an interesting roundtable headed by the Cowen Group. I was asked to help
David Cowen lead a conversation about a myriad of topical ideas and challenges
that many high-level leaders across a diverse list of industries faced today.
As you might imagine, we heard about the challenges of perennial favorites like
inability to find talented people, limited budgets, lack of C-level support for
projects, and on and on. Naturally, more newsworthy topics like Big Data,
social media, DropBox, the Cloud, and consumerization of IT, rightly caused particular
concerns for most people due to the perception of loss of control over the
network and the Corporate data. What I interpreted as the underlying tone of
what most people said, and what hung in the air, though, was a thin, but pervasive mist of fear.
At the end, David asked a select few of us to summarize what
we thought the take-aways were. As the speakers summarized their thoughts on
what they heard that morning, I quickly rewrote my summation based on a small
gem I heard David say earlier in the discussion: ‘encourage curiosity.’ My parting
thoughts went something like this:
I have heard talk of a number of new, unknown and unproven
technologies like the Cloud, Big Data, and ‘Bring your own device’, that have pervaded
(invaded, really) our workplace. And the
common underlying tone that I hear amongst us is one of fear.
Now, maybe because I am a perpetual optimist, and a ‘glass
half full’ guy, but I can’t help but suggest that a reasonable, and in fact
only possible option is to embrace the fear that confronts us. Encourage the
uncertainty. Welcome the Black Swan events that disrupt the melancholy of
day-to-day existence.
Why? It is this ambiguity, this insecurity and dissonance to
our comfort that otherwise makes life tolerable. Makes it bearable. Makes it
worthwhile. The shock to the system of the unexpected and unknown is what
drives humanity forward to betterment of us all. It is a cultural cold shower
that everyone needs from time-to-time.
In the very beginning of the 20th century, as new
some entrepreneurs thought about what improvements could be made to
transportation, the contrived thinking was more akin to ‘building a faster
horse’ than to Henry Ford’s ideas of creating an assembly line, interchangeable
parts and installment selling which really transformed the industry.
In the early ‘80s, Jack Valenti, head of the Motion Picture
Association of America lobbied against the creation of the VCR. Valenti actually
said, in front of Congress no less, that the “VCR is to the American film producer and
the American public as the Boston strangler is to the woman home alone.” Yet,
what did the VCR eventually do the movie industry? It saved it! Imagine how much better
off the industry might be today of the fear of that new and unknown technology
was embraced rather than discouraged.
So that is why my parting thought was to say, we should
embrace the fear we all fear everyday at work of the unknown. We should also encourage
those who work for us who talk of bleeding edge technologies and radical concepts
like “I know we don’t do it this way here today, but...”, and promote their
curiosity. Reward it, in fact. If humanity
is to be driven forward, it will take more than just a few us.
Sunday, May 6, 2012
Changes in the world of Privacy: Big and Small
As I was preparing for an upcoming panel
discussion on recent privacy issues affecting the Corporate world, I thought
about two areas of relevancy for most organizations: micro and macro changes in
the realms of privacy and security. See if you agree.
The
major, though subtle, micro change in privacy and security world in recent times
I’ve observed is the loss of power that the mighty IT organization used to
have. Remember back in the day when
IT’s world was gospel. If they
said you couldn’t have this program, you didn’t get it; if they said there was
no way you could access that web site, you didn’t get there. Use your own
device in the office?!?! For work???!!
Fugeddaboutit.
Nowadays
though, it is more apparent than ever that IT has less power to say ‘no.’ Which
of course causes many headaches for the IT department who must deal now temper the tension and
traditional IT resistance of allowing unknown/untrusted devices into the inner
sanctum. The risks are obvious and myriad. These risks have led many organizations
to firmly resist the trend of consumerization by restricting the umpteen amount of variety of
hardware that every C-level executive and their brother bring to their
cubicles.
In
other ways, the fact that the fulcrum of power has now swung to the employee is
a good thing, as I have argued in previous posts. It is the era of
consumerization. This surge of employee power forces the IT department now to
be collaborative, and no longer allows the department to be filled with ‘V.P.s
of No’. I argue that regardless of the formal or
informal position of the IT department, or even the company policy in general,
this faction of users is growing and is in fact disintermediating the IT department by working around them to get
their devices to work at work. And here’s why: people’s personal world and
professional world are drifting closer and closer together with the traditional
lines separating the two becoming blurrier than ever.
For
most business people, the mobile phone is now the mobile office, for example.
The ultimate objective of consumerization is simply work and personal life
converged onto a single device. It’s all about productivity via familiarity of
the toolset. Think about how life was 15 years ago: you had use of all the
great technology and software at work. When you came home, all you had was some
stripped down versions of that machinery and applications – toys, really.
Today, the scenario is reversed: employees who have state-of-the art
technology at home can’t reconcile the fact that when they come to work they
have a Windows XP machine, or worse, that takes 2 days to boot up.
Pent-up user demand should not be underestimated, and consumerized IT can
be the Holy Grail of employee satisfaction if deployed properly.
A
parallel phenomenon that is also of note is the reassignment of power away from
companies and into the hands of the consumer, particularly the power to decide
strategy and business approach. Very recent examples of companies making a 180
degree about face on a business decision are reminiscent of the introduction of
New Coke April 1985, and then the very public reversal back to Classic Coke.
While
the reintroduction of Classic Coke after the debacle of New Coke took 77 days
before the company announced their mistake, many recent example of the power of
the people (largely amplified with the vehicle of social media) are taking less
time. Consider the Bank of America notice to start charging customers $5 for
the privilege of using a debit card with the Bank for purchases – retracted in
a month after the ensuring uproar; and Verizon reversed its plan to charge cell
phone users $2 fee for one-time credit or debit card
payments by phone or on the company’s Web site – retracted after one day! Now that’s power. (And stupidity on the
part of the Corporation’s marketing department.)
Of
the most prevalent macro change I see in the privacy and security space must be
the convergence to the center of the historically very different privacy and
security models of the European Union and of the United States. It used to be
that the U.S. cared only for security and very little of privacy (after all, we
still have no national or federal privacy law), while the countries of the E.U.
cared almost exclusively about the individual’s privacy, and no focus on
security (there is, for example, no breach notification requirements in the
E.U. data privacy laws.)
Now
I see a slow, deliberate convergence toward the common middle as both parties
realize the benefit and practicality of the other parties approach and model. Though
the disparity of the two camps privacy and security laws are still world’s
apart, within the next 3 years – due in large part to both the recently issued
FTC privacy best practices report, and the publication of the E.U.’s Data
Protection Directive proposed revisions - the world will soon finally agree on
the proper blend of both privacy and security controls to benefits of all
customers, consumers and employees on both continents.
Monday, April 9, 2012
Doth Privacy Professionals protest too much?
If you didn't know any better and as a point of reference only considered recent pronouncements of what online social media sites search engines and mobile phone apps are doing with your data, you may just be frightened enough to go back to using smoke signal and carrier pigeons to communicate with the outside world.
There exists however a dichotomy of realities. On one hand, privacy professionals like me feel it is our God-given duty as the more informed of the two parties to relay and convey the risk and (apparently few) rewards of living in a digital world. (Just like you expect valid financial advice from your accountant; she knows more than you, you hope.) You can’t pick up any newspaper, magazine or online article without being threatened with identity Armageddon by the use of facebook, Google, Angry Birds, Hootsuite, Pandora, Yelp...and on and on and on. At what point do privacy experts stop being valued advisors and move toward simply being paternalistic and saving us from ourselves? Or worse: becoming crybabies?
We as users of technologies (me included) profess to care about our privacy, but the reality of the situation is that we generally do in practice the opposite of what we say. We have even given out our passwords and usernames to "researchers" for free chocolate. ISACA, a global information security association, recently published a survey that indicated 43% of people do not read the agreements on location-based apps before downloading them, and of those who do read the agreements, 25% believe these agreements are not clear about how location information is being used. (What is not really made clear in the statistics is how many of the users who read how their data is being used, still downloaded the app? More than 43%, I’ll bet.) Released late last week, the latest edition of the Angry Birds franchise was downloaded 10 million times in its first three days. How many people read the privacy policy, do you think? Every Apple iPhone update I have ever received on my phone has presented the policy and terms of use in no less than 60 pages.
It is probably the case that we have become desensitized to the news of our data being hacked, stolen or misused which has resulted in the inertia of most people to these events. When you are the recipient of a half-dozen of these "we lost a backup tape" or "a laptop was stolen" letters, and there is not an immediate 'sky is falling' event which follows, one becomes complacent; we start to ignore everything about the warnings, even when we should not. That state of being is called 'habituation.' According to www.animalbehavavioronline.com (how’s that for a source!), habituation is "an extremely simple form of learning, in which an animal, after a period of exposure to a stimulus, stops responding. In the nervous system, sensory systems may stop, after a while, sending signals to the brain in response to a continuously present or often-repeated stimulus."
Politicians even now feel the need to publically bully technology firms since it is easy work for them and it makes it seem like Washington is actually doing something. With approval rates for Congress at historic lows, politicians feel the need to get as much visibility as possible, even if it means digressing into areas about which they have no knowledge, expertise or clue. (I wonder - has every problem facing Congress already been solved that they now have to worry about what the iFart app does with my personal information?!)
The facts of the situation are this: use of facebook or Google is not mandatory (really, they're not!); you can still switch back to Friendster, Bing and MySpace if you'd like. Here's a corollary illustration. I recently had a bad experience with a car brand and dealer. When my lease came up for renewal, not only did I not purchase that car, but I did not and will not buy another car from that dealer. In fact, I won't even buy the same brand of car because that dealer is the only one for that brand in a 50 mile radius, so I would have to take my car to that dealer. So what did I do? Actually, what did I not do? I did not ask government to regulate or step in to review this lousy dealer, I voted with my feet and took my business elsewhere.
It is true in most professions around the world that we tend to create and discuss ideas only within our professional bubble; at best, instead of just talking about bacon for breakfast, you may move to turkey bacon. It is rare if the discussion ever moves to dim sum. The same ideas, solutions and concepts are debated by and for the same people. So when a person or people in your group doth protest too much, he or she may be really only doing so for the benefit (or entertainment) of just the same circle of colleagues he or she interacts with.
Subscribe to:
Posts (Atom)