When Privacy is on the Menu, But You Order off the Menu...

"Vicarious goal fulfillment." 

You may not have heard of this phrase, but you may unknowingly be guilty of doing it. Here is the idea behind the term: In a recent New York Times article, we learned why otherwise healthy-eating people sometimes take a very unhealthy u-turn on their diet. The psychology of why this occurs struck me that this kind of similar self-defeating behavior in eating, can also make its way into privacy-related decisions. 

More so than ever before, restaurants and other venues have begun to add healthy food options to supplement their classically unhealthy offerings. The thought is that making nutritious alternatives more available will lead customers to select the superior food choices. However, a number of studies have shown that merely having but one healthy food option on a menu of unhealthy choices cause people to both select the least healthiest option on the menu, and yet feel still like they have fulfilled their goal of healthy eating - even if they didn't choose the health option. And, ironically, the study goes on to say, this consequence is strongest for people with a high-degree of self-control. That is, people who should know better.

Think this topic can't possibly relate to privacy? The parallels are striking. Think about how the mere presence of the privacy policy on a mobile app you use on your phone or tablet comforts, or how the policy on the website you visit gives you a false sense of security that the company has a privacy policy to begin with, and that they actually honor the actions outlined in that policy. I have written about this before, especially where we read that consumers outspokenly demand high levels of privacy and strict adherence by businesses to the use of the customer data they collect, yet their behavior in many cases blatantly contradicts what say they want. (Trade your password for a bar of chocolate anyone?)

Just like sex sells, so do the unhealthy food selections on most menus, even if healthier options exist side-by-side. The restaurants say that they only offer the people what they want, and it is not their dominion to police people’s eating habits or modify bad habits. It is still a free country, yes?

So why shouldn’t we take the same tact with companies, browsers, applications or services that simply give the people what they want – entertainment, free access, little or no costs apps, etc. – and their privacy be damned? Does the notion of privacy hold more currency than a person’s health? As long as there is no unfair or deceptive practices occurring, and there is full disclosure on what is being done with the data, why shouldn’t people be allowed to act in a manner that is not in their best self-interest? We do it every day with food, tobacco, alcohol and spandex already. Should privacy be a loftier goal? If it is, then it should be achieved directly, and not vicariously. Like seeing a Cobb salad on the menu, but ordering the Double-Double Bacon Cheeseburger.

Boston, Big Data, Privacy and other Trade-offs.

As the world awaits the resolution of the Boston marathon bombers situation, one thing is clear: what led to their identification and, hopefully capture, was a combination of two elements: Big Data, and what might be termed the ‘lack of privacy’.

The contribution of Big Data to the identification of the criminals is evident: by collecting and collating millions of images and videos from myriad sources, the FBI and police were able to do a phenomenal job of pinpointing likely suspects who did or were likely to have committed the crime in question. Getting to the same place without Big Data may have been possible and eventual, but only because of a preponderance of data and the correlation activities was the situation that is happening now able to occur so quickly.

As to the ‘lack of privacy’ element, this was the obvious result of the hundreds of video/CCTV cameras in question all around Boston, and most evident along the marathon route that captured (in astounding clarity, by the way) the two primary suspects toting around black backpacks.

At this point, I wonder if we’ll see any hardcore privacy advocate step-up and say that though there was a positive by-product of all of this covert surveillance and yielding of privacy expectations, we should still not indulge the urge for more of the same. I doubt anyone will be so fearless. On the other side, it may be more likely that we will see more advocating for the existence of or proliferation of the ever-present ‘eye in the sky’ that is leading the authorities to an efficient conclusion of this tragic event.

I think the conversation will continue, as it usually has, around the practicality of trading-off more security for less privacy, along with the benefit to the greater good (i.e. more personal privacy) versus the loss of solitude or discretion, even in public places. At this point that most of us think we have no or should have no expectation of privacy in public places, but if you watch closely some of the surveillance footage that captured the two suspects, you can see other people doing things that I am sure they would not necessarily want broadcast on public TV (that is, scratching places and picking places our mothers told us not to…).  

The easy question at this exact moment is ‘Do we ask folks to surrender their humility to the greater good of catching bad guys?’  I think many people at this point in time, with emotions running so high at this horrific and senseless act of brutality, would say ‘Absolutely. That is an easy trade-off.’ And so we tolerate the inconveniences and make sacrifices.

What I think is the ultimate question though is ‘What is the right amount of trade-off?’ Where is that sweet spot of just enough security and just enough privacy? The answer is of course, highly personal and subjective; it is also contextual. Though most of us agree (or are not disagreeing) with what is being done by the authorities in Boston right now, I am not sure that we would accept another lockdown of a major American city for anything less than the most extraordinary series of events. Though data gets bigger all the time, our tolerance for trade-offs, however, gets smaller.

In 2013, Companies will need to differentiate themselves with data (Guess whose data?)

As more online applications and services begin to proliferate in the webisphere, the likelihood is that the similar services will all begin to converge to sameness as competitors race to fill in the void of uniqueness. As the characteristics of distinction begin to dissipate between all of the various services and applications, there leaves but one thing that the companies will rely on to differentiate themselves from their competitors - data. And of course whose data will they use to achieve that distinction? Yes, of course. Yours.

If information is the new oil of the 21st century, then companies will need to constantly be 'drilling' or mining for it in the form of data collection - be it overt or covert. Right now companies that collect data for personalization purposes do it in a way that reminds me of awkward and unsophisticated teenagers fumbling their way through the initial stages of romance. But a few years from now - 5 years at the most - the level of personalization that online companies will offer up to users will be so slick and fine-tuned it will be transparent to the average person how the decision to offer up that product was arrived at.

Remember that scene in the movie, Minority Report, when Tom Cruise was walking into the Gap store and the store's cameras were reading his eyes and offering him personalized ads and even clothing suggestions? That is the future - both literally and figuratively - for consumers. The irony of course in that scene is that Tom Cruise had just had his eyes replaced with another set from a dead person so that the police would not be able to successfully track him. If you recall the scene in the movie Cruise had had a set of eyes from a Japanese man, so the ads (and the accompanying hologram lady) was personalized for him. ("Welcome back to the Gap, Mr. Yakamoto. How did the assorted tank tops work out for you?").  This is approximately the state where we are at now with personalization, all due to the rudimentary way data is collected on us now as we move across mobile platforms online.

Most (rational) people agree that the Faustian bargain that the internet has offered us all in exchange for its low or zero cost is the trade-off for our data and small pieces of privacy. You would be hard pressed to find people willing to pay for the free service they have enjoyed for the last 10 or fifteen years, just so that they don't see any ads. What most of us object to really I think, is the misguided ads or offerings that waste our time and screen real estate. (Do I need to see ads for e-cigarettes if I am not a smoker?)

Big Data is what it's called but it might be better called 'Big Dumb Data.' At least for now. Yet, some companies are very rapidly moving up the pace of innovation and sophistication with the use of the resources that they are filling their Oracle databases with. Slowly but surely you can see the flashes of refinement happening, and you see a unique company or two take the lead with the information that they possess and truly differentiate themselves from their competitors. As I said, 5 years from now when  we may even be at a point to be able to make sure it is indeed Mr. Yakamoto who is in need of some more tank tops when the pitch is made to him. And the only way that can be done is with data.

A gift to yourself this year? How about a better privacy profile?

A headline today in the Motley Fool's great online financial site entitled The Best Gift to Give Yourself This Year, made me think about what might really be a great gift to give yourself, and at little to no cost. How about the notion of enhanced privacy? Or really what we are talking about is more anonymity, especially online.

In the last year I have seen and have personally used a number of great technological tools and best practices to help minimize my exposure and vulnerability to excess data proliferation.

Now, I am no technological Luddite or privacy alarmist, and I believe in and understand how the Internet works and how the low-cost model has benefited the modern world thanks to advertising. Yet, I am sure you have all seen quite often in the press the exaggerated reviews about services and applications that if used on your smartphone, would threaten the very existence of Western Civilization!?!!. I benefit fro many of these applications myself, but we are very very quickly coming to the point where the value proposition is tilting too favorably in the other direction against regular consumers. 

First up a couple of behavioral changes that you should consider adopting in 2013. For example, don't get in the habit of logging in to new applications or websites with your Facebook or Twitter or any other 3rd party credentials. I realize it is expeditious and convenient, but it allows not only the 3rd party site (Facebook, Google, Twitter, etc.) to continue to build a profile of you, but it lengthens the bread crumb trail of your actions and activities on the web. If you every want to disappear forever, you'll have a rough time of it since you left so many clues as to your possible whereabouts and past behaviour.

Second, start to take notice of new windows that pop-up in and around websites offering you the ability to control the cookie and ad choices that are shown to you.  You can begin to be much more proactive about what cookies some websites are allowed to leave on your machine when you visit that site. Most European websites (and some of the more forward-looking U.S. sites) now offer up an express consent option when you visit the site for the first time, to control how the site will track you now and in the future. A great product from a company called Evidon which services up the "AdChoices' icon on some websites will allow you to proactively opt-out of being tracked by hundreds of tracking companies with one click on a page on their website. Thru Evidon's Open Data Partnership (ODP), users can easily manage the profiles that different companies have created about them and their interests.

As for technology, and for the more paranoid among us, I have been using a browser called Tor lately that really hides or disguises your activities online. The service works by 'bouncing' your communications around a distributed network of relays around the world you connect to which is run by volunteers (i.e. you, if you use the browser). Tor prevents someone from watching your Internet connection and building a profile on you via the sites you visit. An added benefit is that the browser prevents the sites you visit from learning your actual physical location, and it lets you access sites which are blocked - which your IT guys at work will no doubt love. (as I was writing this blog,  I fired up the Tor browser and the IP address that my machine was displaying to the outside world made it appear as though I was in the Czech Republic. Good stuff!) 

This is just a short list of technologies and behavioral changes that you can easily adopt to  improve your privacy posture in the new year. Almost all of these services and activities are free. In most cases, the cost is nothing more than a few extra minutes of your time to set a profile or check a box on a website. Generally, there is nothing to pay for. All you need to do is start to pay attention.

Happy Holidays and Happy New Year!

"Secure data access in a mobile universe" - Interview with the Economist Intelligence Unit

I was recently interviewed by a journalist,  Lynn Greiner, who was working on a paper for the EIU and we talked about data security, mobility and the ever-common phenomenon of BYOD (bring Your Own Device to work).  

The full white paper is here (http://tinyurl.com/a76vfow) but here are some excerpts:

Preventing the data from being stored on a mobile device at all is another strategy. Al Raymond, vice president of privacy and records management at Aramark, a US foodservice supplier, says authorised users who need to access company information remotely do so over a secure virtual private network (VPN) from their laptops or mobile devices. No data other than email are stored on the device itself, making it relatively easy to protect corporate data assets should the employee leave, or lose the device.

Some companies that have BYOD policies expect executives and employees to make sure they have necessary software on their devices, at their own expense. Others reimburse all or part of the cost of programmes required specifically for business. Proper configuration and good usage practices must be monitored and enforced centrally, Aramark’s Raymond says, adding that regularly reinforced security awareness training also keeps secure data access fresh in employees’ minds.

Aramark’s Raymond says his company takes an alternative approach to device-centric mobile security administration. Workers use the mobile device purely as a viewer, leaving company data on Internet-connected (remove this) securely accessible  corporate servers that do the heavy computing, and not on the device itself.

The average cost of a corporate data breach incident hit US$7.2m in 2010, according to the Ponemon Institute, a consultancy. That’s more than double the average cost in 2005. Mr Raymond thinks that these figures ring true, given the number and types of breaches, adding that there are hundreds of small incidents each year and a few major ones that may hit US$25m–US$500m.

Before the introduction of Aramark's formal mobile policy ten months ago, people had no defined rules telling them what devices and operating systems were eligible to be connected to the company network. With the new policy, entailing role-based access and approved devices and configurations, the company knows precisely who has access and to which data. "It's no longer a wink and a nod," Raymond says. The higher the visibility of your program, the more likely it will be adhered to.

Mr. Raymond says that, although his business doesn't require it, separate environments for business and personal use are important, but if the policies surrounding them, or any other security measures, are not enforced, there will be issues. He says he is always surprised, when speaking with his peers, at how much of security in large organisations is just "smoke and mirrors". The words are there, the enforcement isn't.

The Three Stages of Employee Awareness...Where are you?

On this Thanksgiving Day 2012, as we make efforts to be aware of what we are grateful for, I can’t help but gravitate to other related aspects of awareness – employee awareness. Specially, employee awareness training and how it effective it is.

The other reason that this topic comes to mind is because I am currently developing a new privacy awareness curriculum for my company. Like every other developer of training, I am concerned about many things: the delivery, the topics, the accessibility of the material, the level of interest of the participant, the language I use, the vernacular, the jargon, and on and on.

I think training practitioners are at a point that it is no longer reasonable or practical to simply create a 90 minute training module packed with every law, regulation, procedure and policy statement about the topic in question, and rationally believe that it will have any impact on the employee. In fact, recent studies show that the shorter (15-20 minutes), more pointed training concepts that involve more interactivity with the viewer result in better retention of the material, and ostensibly, better overall compliance with your privacy, security or compliance objectives. I have also noticed that a trend towards ‘gamification’ of training is getting a lot of press for the way it mimics the participant involved in a video game. The idea is that this level of interaction engages the viewer on almost of sensory level, thus allowing them to fully embrace your curriculum, and ultimately your message.

I have a theory about employee awareness that involves three stages of awareness. It is my opinion that a majority of employees move through these three stages throughout their professional engagement and exposure to training in general. You can also see how, as a developer of awareness programs and as someone who is responsible for company privacy awareness overall, I am very interested in not only how employees move through these stages, but how quickly and efficiently.

The Three Stages of Employee Awareness

Stage 1 of Employee awareness is what I term the “I want to do the right thing” stage. Every employee (hopefully) comes to the organization with the best and most honest of intentions in mind. What they may lack is an understanding of what the right thing is – as your company defines it – and how to go about doing it.  This is where the onus is completely on the trainer to create a program that lays out the intentions of the curriculum in clear and unambiguous terms so that every level of employee throughout the organization walks away with the right message.

Stage 2 of Employee Awareness is what I call the “Is this the right thing?” stage. This level of awareness is where most employees in most companies are. The assumption is that training has been given already or that employees are somewhat aware of what they should or should not do as it relates to say, data privacy, and are conscious of some degree of best practices. This stage is also when employees are starting to exercise their knowledge and e-mail or call me with what they think is the proper way to protect or disclose data and what to just make sure it is correct. If your employees are reaching out to you before they act, then you know that your awareness campaigns and profile is starting to take root and pay dividends.

The last Stage of Employee Awareness is the “Employees just do the right thing” stage.  Since your staff now knows what is and is not the proper way to handle, process, share or store data, they no longer have to either wonder about it or ask you about it. What you have done to raise the visibility of privacy or data security awareness in your firm has now come full circle to bringing everyone up to the level of consciousness that you have. Not many companies are at this level of awareness utopia however. It takes a lot blood, toil, sweat and tears of employee engagement to get to this point, but it is possible – regardless of the industry or silo your company is in. And well worth striving for.

If your company is already in Stage 3 of Employee Awareness, then you have something extra to be thankful for this year.  ;-)

What If Privacy Polices Were As Easy To Read As IKEA Instructions?

I was building a wardrobe closet from IKEA the other day and I realized something remarkable after following the directions, page by page - and there must have been at least 25 pages of directions. Though the closet is over 9 feet tall and at least 8 feet wide, with hundreds of screws, washers, shelves, frames, tracks and bolts, I was able to easily follow the directions to a successful completion - and I am not very handy, let me say - without the directions ever posting a single word. Everything, and every page of instruction was a simple line drawing.

I began thinking about how other people with no privacy background, interest or expertise feel when they look at what we do in the privacy space. That is, how average users of websites and apps feel about the privacy policies that they come across or, god forbid, ever dare to read.  According to a recent study released by the digital branding firm Siegel+Gale, most users of Facebook and Google had fundamental gaps in understanding, even after reading the posted privacy policies, of what the websites were saying in those policies or what they did with customer information.  Think about what that says about the privacy profession and its ability to communicate a coherent message!!? Can you imagine any other industry in which its primary user base or target audience doesn't understand its products? Anyone you know buy a bicycle and not know how to ride it? Because of difficult to read and understand privacy policies, readers of those documents walk away from the policy with no more understanding of what is happening with their data then when they started. If that is the case, then you, as the writer of that policy, have failed your customer.

Years ago, the privacy role was taken by the General Counsel who was typically appointed the Chief Privacy Officer one day because she had written the privacy policy sometime before. It goes without saying that the document was probably a bog of legalese; a vague and deliberately obtuse read that only served to cover the company's metaphorical ass. Then, someone in the company heard that there was a Chief Security Officer in the building. Eureka! So now he should also in charge of security along with privacy. (They are the same things, no?). That worked out well for a while but then it was soon realized that the CISO's primary duty is to protect data so that no one gets to it. That didn't do the marketing folks any good, let alone customers who wanted control over their own data.

As time has elapsed, consumers matured, and our appreciation of the treasure trove that we call our database of customer and employee data begins to rise, I believe that the role of the privacy professional is now converging to a middle ground. The role is moving from the polar extremes it previously inhabited towards an individual with a skill set that is a confluence of three core proficiencies: first, an appreciation of the law, second, respect and understanding of security, and finally, a practitioners eye for the use of data and real world operational understanding of the business. When a privacy policy is written by someone with this kind of resume, an average user who reads it will know exactly what the company is doing with the data they collect and use. Maybe, someday, that privacy policy will be as easy to follow and understand as the directions for building an IKEA closet.