What If Privacy Polices Were As Easy To Read As IKEA Instructions?

I was building a wardrobe closet from IKEA the other day and I realized something remarkable after following the directions, page by page - and there must have been at least 25 pages of directions. Though the closet is over 9 feet tall and at least 8 feet wide, with hundreds of screws, washers, shelves, frames, tracks and bolts, I was able to easily follow the directions to a successful completion - and I am not very handy, let me say - without the directions ever posting a single word. Everything, and every page of instruction was a simple line drawing.

I began thinking about how other people with no privacy background, interest or expertise feel when they look at what we do in the privacy space. That is, how average users of websites and apps feel about the privacy policies that they come across or, god forbid, ever dare to read.  According to a recent study released by the digital branding firm Siegel+Gale, most users of Facebook and Google had fundamental gaps in understanding, even after reading the posted privacy policies, of what the websites were saying in those policies or what they did with customer information.  Think about what that says about the privacy profession and its ability to communicate a coherent message!!? Can you imagine any other industry in which its primary user base or target audience doesn't understand its products? Anyone you know buy a bicycle and not know how to ride it? Because of difficult to read and understand privacy policies, readers of those documents walk away from the policy with no more understanding of what is happening with their data then when they started. If that is the case, then you, as the writer of that policy, have failed your customer.

Years ago, the privacy role was taken by the General Counsel who was typically appointed the Chief Privacy Officer one day because she had written the privacy policy sometime before. It goes without saying that the document was probably a bog of legalese; a vague and deliberately obtuse read that only served to cover the company's metaphorical ass. Then, someone in the company heard that there was a Chief Security Officer in the building. Eureka! So now he should also in charge of security along with privacy. (They are the same things, no?). That worked out well for a while but then it was soon realized that the CISO's primary duty is to protect data so that no one gets to it. That didn't do the marketing folks any good, let alone customers who wanted control over their own data.

As time has elapsed, consumers matured, and our appreciation of the treasure trove that we call our database of customer and employee data begins to rise, I believe that the role of the privacy professional is now converging to a middle ground. The role is moving from the polar extremes it previously inhabited towards an individual with a skill set that is a confluence of three core proficiencies: first, an appreciation of the law, second, respect and understanding of security, and finally, a practitioners eye for the use of data and real world operational understanding of the business. When a privacy policy is written by someone with this kind of resume, an average user who reads it will know exactly what the company is doing with the data they collect and use. Maybe, someday, that privacy policy will be as easy to follow and understand as the directions for building an IKEA closet.

Privacy's Double-edged Sword - Protecting Good and Bad Guys

In our 'always on and connected world' there is certainly enough evidence of how the respect of privacy is a good thing. There are enough of my peers in the privacy space who have taken it as their God-given duty to protect us from ourselves, as if God spoke to them like He did to Abraham.Yet the tendency towards paternalism aside, and as much as the cry for more privacy protects us good citizens, it also  protects some bad guys as well.

In a the recent decision from Canada, the Supreme Court of Canada  indicated that employees may have a reasonable expectation of privacy for information that may reside on work-issued computers, at least where personal use is either permitted or reasonably expected. Sounds simple enough. But here is the nuance.

A high school teacher had a school-issued laptop in his possession that he was permitted to use the for incidental personal purposes as well . As a system administrator, he was also able and responsible for policing student use of their school-issued laptops, and could therefore access hard drives of student laptops.

The school had a robust Acceptable Use policy that stated, among other things, incidental personal use of laptop was allowed; teachers’ email correspondence was private, subject to certain conditions; all data and messages generated or handled by school hardware were the property of the school, and, finally, that users should not expect privacy in their files.

While an IT staff member was performing some routine maintenance on the teacher's machine, he found a folder on the laptop that contained nude and partially nude photographs of a female student . The technician told the school principal and the photographs were copied to a CD. The principal seized the laptop, and turned both the laptop and the CD over to the police. The teacher was then subsequently charged with possession of child pornography and unauthorized use of a computer.

The reason the Supreme Court interceded is because the police who reviewed the laptop, did so without a proper search warrant. They ruled that the teacher did have a reasonable expectation of privacy in his use of the laptop, as the school policy indicated that users were allowed some incidental use of the machine.

Though the Court did not rule specifically on the issue of how and if employers can monitor their employees and employees use of company or school owned equipment, the matter does highlight that the umbrella of privacy does protect both good guys and the bad guys from the same rainstorm. Though the teacher's behavior and activities indicate some deplorable and nefarious activities that are wholly inexcusable in any context, one must also recall that Lady Justice is most often depicted with a set of scales suspended from one hand, upon which she measures the strengths of a case's support and opposition. If you look closely, you will also notice that she is also often seen carrying a double-edged sword in her other hand, symbolizing the power of Reason and Justice, which may be wielded either for or against any party. Good or bad.

The Arms Race of Privacy Laws

This month Texas became the latest state to either introduce its own breach notification law, or modify its existing one. The Texas House Bill 300 is an update to the Texas breach law already on its books. The law is amongst the now 46+ disparate laws on the books that businesses in the U.S. must navigate and be expected to comply with if they do business in more than one state, or posses the information of a resident of more than one state. I imagine that this is the kind of convoluted (and expensive) business environment that companies in Europe had to deal with before the European Union codified most of their laws. 

A cursory reading of the Texas law's provisions makes it appear as though companies now have additional obligations in Texas. For example, the law states that you must train employees on Personal Health Information within 60 days of hire, rather than simply on an annual basis. (Damn your existing training regime that is done annually for administrative ease or convenience!) As well, if your company thought of yourself as only a business associate in Texas, well guess what? Voila! Even if you were simply acting as a 'business associate' for a client, this law now considers you a 'covered entity' under their definition.

 Lastly, the penalties under this law appear to be particularly egregious. The big difference here versus HITECH is that House Bill 300 can penalize a company everyday for each day they fail to notify patients of a privacy incident.

This precarious situation for large and small business alike is the Congress; failure to act in passing a national law, superseding every state law. When states get impatient for the Fed to act they take matters into their hands. Many times, especially in the case of privacy and security law, they do it with the best intentions. Unfortunately, we often get a morass of confusing and contradictory pronouncements that are either unbelievable overreaching in scope or just simply too complex and punitive for a small company to attempt to comply with. This 'arms race' of states passing their own laws sometimes results in laws so esoteric and narrow that it may lead a small company to just ignore, or rationalize that it is easier and cheaper to pay any fines associated with non-compliance than to try and comply with the law

.

And then sometimes you get laws that appear (at least to me) to be only knee-jerk reactions to high profile cultural events like texting while driving. Granted, this is a dangerous trend and equally dangerous activity that is a negative by-product of modern technology. It makes sense to not do it in practice, But to pass a law against prohibiting texting while driving is, to me, pure demagoguery. So, you can't text while driving, but you can still eat, drink coffee, change the stations on your radio, program your GPS sing, turn around the slap your kids, put on make-up, and on and on... or what about the recent phenomenon of companies asking employees for their Facebook passwords. I am not sure about your company, but since when did this become such a national epidemic, like SARS, or Swine Flu? Is this 1950 and employers are asking employees if they are now or have ever been a member of the Communist Party?  Sure, I believe it happens and it is wrong, but do we need to create and pass specific laws against it? Don't our legislators have anything better to worry about? 

Yes, all of these activities generate press and show citizens that their generally do-nothing members of Congress are actually doing something. (I like to recall of Hemingway's great line here: "Don't confuse motion with action."). But the outcome is just another law layered on top of all the other laws that companies, large and small, must deal with to be in compliance. The real ARMS race of nuclear arms proliferation ended between the U.S. and Soviet Union ended in the 1970's with the SALT I and II Talks. Maybe lives aren't at stake here as they were with ICBM missiles, but maybe we can convince Congress that the situation for privacy and security law compliance is dire enough to warrant a SALT talk for the prevent and further proliferation of these one-off, ad-hoc laws and end this arms race too.

Suddenly, The Ubiquity of Privacy (ready for its closeup)

 You know that experience you get when you buy a new brand of car - one that you had never paid much attention to -  then after you buy it, suddenly you seem to notice that same car everywhere like never before? Well, maybe only because I am in the privacy business, but it seem like now, as never before has privacy in the United States has taken the center stage in so many ways - both good and bad.

From the FTC to the White House to the European Union, many new formal and considered pronouncements are coming from very serious corners of the world. No longer are only policy wonks like me entertaining other wonks in on-line forums and privacy salons (our versions of Star Wars conventions), but serious space is being dedicated to topic of 'privacy.'

No longer is the topic of privacy relegated to serious mediums like Wired magazine or the New York Times, lots of main stream publications feature some article on privacy, usually the evaporation of it, examined in detail. The Europeans have long taken the matter of privacy as a very, very serious topic, and due to its history of abuse of data we understand why. But it might be taken too seriously, some say, as the need for personal privacy  may trump, tamper and stifle the innovation and creative spark that is the foundation of any entrepreneurial society.

Naturally, the prevalence of the stories of privacy are a direct of function of the use of smartphones, tablets, social media and the general trend of more openness and sharing of data in communities and via applications. What I am not so sure of, however, is the real importance and significance of privacy to average users of technology. I have seen studies and interviews of countless average consumers, of all ages, who profess that they care deeply about their privacy - both on and offline. Yet, words rarely reflect the reality. I can on the other hand quote just as many studies of similar users who practice not what they preach in the use of that same technology. A famous survey n 2004 of British commuters revealed that more than 70% of people would reveal their computer password in exchange for a bar of chocolate; and over a third of them gave it up without even needing a bribe. And how many more endless stories do we have to read about where when a database of passwords is hacked, it's shown that most people's passwords were as simplistic as "password," "1234567" or "abc123?"

Some argue that this realty reflects a failing not of the users of technology per se, but of the technology itself. Think about how many sites that require unique usernames and passwords. Some web sites want a password no longer that 7 characters; some passwords must be only numbers and letters; some passwords must be numbers, letters and special characters; some passwords must be at least 14 characters long; some passwords must be ....ahhhhhhhhhhhh!  It is true that there is really no easy-to-use, universal way to log-in securely to any and every site you use obviating the need for 25 different passwords of varying length and complexity. So naturally, people take the path of least resistance and create accounts and passwords that are easy to remember and use those same passwords across multiple sites, putting their security and privacy at risk in the process.

It is, however, a good thing though that we are least having this conversation about privacy and the value of it. The explosion of social media, especially amongst the young and portability of technology has been the proverbial gasoline for the fire. I don't think the pyre has fully gotten to the point of a 5 alarm blaze yet, but we will get there. And soon. This will happen and has to happen before we as individuals and collectively as a country start to take the idea of our privacy as seriously as the Europeans do. In 5 years, I predict that there will be a convergence to a perfect median point from where the United States is now on privacy and where Europe is now. That sweet spot will be the inflection point where both privacy of individuals is demanded and taken seriously by companies, and where the flag of privacy is still able to wave breezily in the winds of innovation and imagination. That is when privacy will be truly ready for its close-up, and we'll actually like what we see.

Dissecting modern privacy concerns

From my recent interview with Help Net Security: http://www.net-security.org/article.php?id=1721&p=1

Based on your experience, what are the critical issues in understanding the very nature of identity in a society actively building bridges between the real and digital world? How can we share more, connect with others, and protect our privacy at the same time?

That is the great question of our time for privacy professionals, isn’t it? And the whole explosion of social media has thrust the issue of ‘identity’ into the spotlight for us to deal with, and it has come upon us with very little advance notice to allow us time for proper preparation. 

From what I’ve seen, there exists in both the online and offline worlds a dichotomy between proper authentication of an individual – that is, the individual is who they say they are – and the contrary position of oversharing of information by individuals so that we know too much about them, to some detriment. Obviously, fraud and identity theft is the result of improper authentication of a person to whom services are provided (i.e. too little information).


Embarrassing revelations to both individuals and corporations are the result of too much transparency. The problem of authentication is essentially the function of requiring too little information to validate the credentials of the person asserting their identity. At some point, institutions will have to realize that there should be no comfortable level of acceptable losses and raise the bar on proof of ‘who you are is who you say you are.’ Right now, for example, you can walk into any big box store and open an instant credit account with only a driver’s license as proof of identity. It would be one thing if driver’s licenses were difficult to reproduce, but most of know it’s as easy as creating a business card these days.

On the other side of the fence, is the critical issue of too much openness and ability to share one’s life with little notion as to the consequences. I think ultimately we will have to create some kind of firewall between the real life you live and have, and the online version of that presence – some kind of official, vetted and legally binding avatar. Many people need and should have that defensive layer between the two for many reasons: lack of prudence, lack of sophistication, inability to self-censor, etc.


Technology will have and I am confident can design that perfect solution that strides the median strip between proper identification and allowing some degree of privacy while online. The notion of privacy as a discrete discipline and valuable asset to one’s existence has only recently come into popular consciousness, so it may be a little while before we catch up with much faster technologies that encourage sharing and social interaction (all the while attempting to monetize the behavior!).

The number of social networking users is growing exponentially, with most of them unaware of the privacy and security implications of the personal data they make available online. What type of problems do you expect careless users will have in the future? Are we moving towards a society where there is no privacy at all?

I think we have already seen the universe of reasonably untoward outcomes of people oversharing. Just ask Anthony Weiner. He was, for example, a well liked and respected New York politician with excellent long-term prospects in his party. After one imprudent series of actions, his political career, if not over, has been severely damaged. And yet, for every one high profile Anthony Weiner, there are 10,000 little people who have irreparably damaged their own lives for what they posted on Facebook, Twitter and YouTube.

I think we will always have a state of privacy, or at least a concept of what is acceptable by ‘normal’ society. Until the time when every behavior done behind closed doors becomes commonplace, there will always be a place and appreciation of the idea of privacy. Having said that, I do not think we will ever return to the halcyon days of privacy that, for instance, U.S. Presidents, like Franklin Roosevelt and John Kennedy enjoyed. In this day and age of ubiquitous technology and 24–hour a day cable news programs, privacy and secrecy are the first casualties. 


I do believe, however, that we will soon experience a swing of the pendulum to the other side, as we typically do in most matters that we as a society decide we have taken too far, too fast in one direction. In near future, as technology begins to allow us to more perfectly choose how we present ourselves online and to the degree we are most comfortable, we’ll settle on a equilibrium. I would say we are least 3 years away from that inflection point.

The over-sharing phenomenon fueled by Facebook users drives cybercriminals to innovate. One of the latest growing trends is automated social engineering which enables attackers to easily mass profile a lot of people. Should the companies running social networking sites make sure their users understand the privacy implications of their actions even though it hurts their bottom line?

Absolutely. If behooves any company offering a service to build in and promote privacy as a feature and component of the delivered experience. Without an expectation of privacy, customer trust will not follow, and the technology will ultimately not advance. It would be incredibly short-sighted of a company to ignore the 800 pound gorilla of privacy consideration in the room while trying only to monetize the user data that it is entrusted with.


In fact, any company that takes that path has already written its obituary. Yet, I can understand why some companies are not at this point yet. We as consumers constantly say, when polled, that we value our online privacy and take proper precautions to protect yet. Yet, when given the chance to get a free chocolate bar outside of a grocery store for the small price of handing over our username and password to an e-mail account, we do so in very large numbers.

I sense, though the tide is slowly turning. It is only now beginning to be realized by companies that they can actually use their positive privacy posture as a competitive advantage versus their competitors. It won’t be long before consumers and customers also begin to evaluate the worth of doing business with a brand by the degree to which that company protects or values the privacy and protection of the data in which its customer base hands over. Consumers are quickly growing disenchanted with the model of a free service at the cost of unlimited and unrestricted use of their data. I think fairly soon the ‘no free lunch’ mantra will be realized as it originally meant to be.


You are one of the keynote speakers at Data Protection & Privacy Law Compliance. Can you tell our readers more about the event?

The Data Protection & Privacy Law Compliance conference is going to be a great event for both experts in the field who need to walk away with one or two new ideas, as well as other professionals who have recently entered the privacy and data protection field. I am very excited to be part of it. One of the great features of the event is the roster of top-tier talent that will be speaking. Rarely do you get a concentration of experts in one event that also features an expansive array of very topical issues.

Looking over the proposed agenda, I noticed that there are offerings that are very focused on a particular topic – like my topic on vendor management & oversight – and also broad topics like privacy issues that arise from the use of social media. Without a doubt there will be something for everyone.

Have you hugged your fears today?

I was in a conversation the other day with many of my peers at an interesting roundtable headed by the Cowen Group. I was asked to help David Cowen lead a conversation about a myriad of topical ideas and challenges that many high-level leaders across a diverse list of industries faced today. As you might imagine, we heard about the challenges of perennial favorites like inability to find talented people, limited budgets, lack of C-level support for projects, and on and on. Naturally, more newsworthy topics like Big Data, social media, DropBox, the Cloud, and consumerization of IT, rightly caused particular concerns for most people due to the perception of loss of control over the network and the Corporate data. What I interpreted as the underlying tone of what most people said, and what hung in the air, though, was a thin, but pervasive mist of fear.

At the end, David asked a select few of us to summarize what we thought the take-aways were. As the speakers summarized their thoughts on what they heard that morning, I quickly rewrote my summation based on a small gem I heard David say earlier in the discussion: ‘encourage curiosity.’ My parting thoughts went something like this:

I have heard talk of a number of new, unknown and unproven technologies like the Cloud, Big Data, and ‘Bring your own device’, that have pervaded (invaded, really) our workplace.  And the common underlying tone that I hear amongst us is one of fear.

Now, maybe because I am a perpetual optimist, and a ‘glass half full’ guy, but I can’t help but suggest that a reasonable, and in fact only possible option is to embrace the fear that confronts us. Encourage the uncertainty. Welcome the Black Swan events that disrupt the melancholy of day-to-day existence.

Why? It is this ambiguity, this insecurity and dissonance to our comfort that otherwise makes life tolerable. Makes it bearable. Makes it worthwhile. The shock to the system of the unexpected and unknown is what drives humanity forward to betterment of us all. It is a cultural cold shower that everyone needs from time-to-time.

In the very beginning of the 20^th century, as new some entrepreneurs thought about what improvements could be made to transportation, the contrived thinking was more akin to ‘building a faster horse’ than to Henry Ford’s ideas of creating an assembly line, interchangeable parts and installment selling which really transformed the industry.

In the early ‘80s, Jack Valenti, head of the Motion Picture Association of America lobbied against the creation of the VCR. Valenti actually said, in front of Congress no less, that the “VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone.” Yet, what did the VCR eventually do the movie industry? It saved it! Imagine how much better off the industry might be today of the fear of that new and unknown technology was embraced rather than discouraged.

So that is why my parting thought was to say, we should embrace the fear we all fear everyday at work of the unknown. We should also encourage those who work for us who talk of bleeding edge technologies and radical concepts like “I know we don’t do it this way here today, but...”, and promote their curiosity. Reward it, in fact.  If humanity is to be driven forward, it will take more than just a few us.

Changes in the world of Privacy: Big and Small

As I was preparing for an upcoming panel discussion on recent privacy issues affecting the Corporate world, I thought about two areas of relevancy for most organizations: micro and macro changes in the realms of privacy and security. See if you agree.

The major, though subtle, micro change in privacy and security world in recent times I’ve observed is the loss of power that the mighty IT organization used to have.  Remember back in the day when  IT’s world was gospel. If they said you couldn’t have this program, you didn’t get it; if they said there was no way you could access that web site, you didn’t get there. Use your own device in the office?!?! For work???!! Fugeddaboutit.

Nowadays though, it is more apparent than ever that IT has less power to say ‘no.’ Which of course causes many headaches for the IT department who must deal now temper the tension and traditional IT resistance of allowing unknown/untrusted devices into the inner sanctum. The risks are obvious and myriad. These risks have led many organizations to firmly resist the trend of consumerization by restricting the umpteen amount of variety of hardware that every C-level executive and their brother bring to their cubicles. 

In other ways, the fact that the fulcrum of power has now swung to the employee is a good thing, as I have argued in previous posts. It is the era of consumerization. This surge of employee power forces the IT department now to be collaborative, and no longer allows the department to be filled with ‘V.P.s of No’. I argue that regardless of the formal or informal position of the IT department, or even the company policy in general, this faction of users is growing and is in fact disintermediating the IT department by working around them to get their devices to work at work. And here’s why: people’s personal world and professional world are drifting closer and closer together with the traditional lines separating the two becoming blurrier than ever.

For most business people, the mobile phone is now the mobile office, for example. The ultimate objective of consumerization is simply work and personal life converged onto a single device. It’s all about productivity via familiarity of the toolset. Think about how life was 15 years ago: you had use of all the great technology and software at work. When you came home, all you had was some stripped down versions of that machinery and applications – toys, really.  Today, the scenario is reversed: employees who have state-of-the art technology at home can’t reconcile the fact that when they come to work they have a Windows XP machine, or worse, that takes 2 days to boot up.  Pent-up user demand should not be underestimated, and consumerized IT can be the Holy Grail of employee satisfaction if deployed properly.

A parallel phenomenon that is also of note is the reassignment of power away from companies and into the hands of the consumer, particularly the power to decide strategy and business approach. Very recent examples of companies making a 180 degree about face on a business decision are reminiscent of the introduction of New Coke April 1985, and then the very public reversal back to Classic Coke.

While the reintroduction of Classic Coke after the debacle of New Coke took 77 days before the company announced their mistake, many recent example of the power of the people (largely amplified with the vehicle of social media) are taking less time. Consider the Bank of America notice to start charging customers $5 for the privilege of using a debit card with the Bank for purchases – retracted in a month after the ensuring uproar; and Verizon reversed its plan to charge cell phone users $2 fee for one-time credit or debit card payments by phone or on the company’s Web site – retracted after one day!  Now that’s power. (And stupidity on the part of the Corporation’s marketing department.)

Of the most prevalent macro change I see in the privacy and security space must be the convergence to the center of the historically very different privacy and security models of the European Union and of the United States. It used to be that the U.S. cared only for security and very little of privacy (after all, we still have no national or federal privacy law), while the countries of the E.U. cared almost exclusively about the individual’s privacy, and no focus on security (there is, for example, no breach notification requirements in the E.U. data privacy laws.)

Now I see a slow, deliberate convergence toward the common middle as both parties realize the benefit and practicality of the other parties approach and model. Though the disparity of the two camps privacy and security laws are still world’s apart, within the next 3 years – due in large part to both the recently issued FTC privacy best practices report, and the publication of the E.U.’s Data Protection Directive proposed revisions - the world will soon finally agree on the proper blend of both privacy and security controls to benefits of all customers, consumers and employees on both continents.