As more online applications and services begin to proliferate in the webisphere, the likelihood is that the similar services will all begin to converge to sameness as competitors race to fill in the void of uniqueness. As the characteristics of distinction begin to dissipate between all of the various services and applications, there leaves but one thing that the companies will rely on to differentiate themselves from their competitors - data. And of course whose data will they use to achieve that distinction? Yes, of course. Yours.
If information is the new oil of the 21st century, then companies will need to constantly be 'drilling' or mining for it in the form of data collection - be it overt or covert. Right now companies that collect data for personalization purposes do it in a way that reminds me of awkward and unsophisticated teenagers fumbling their way through the initial stages of romance. But a few years from now - 5 years at the most - the level of personalization that online companies will offer up to users will be so slick and fine-tuned it will be transparent to the average person how the decision to offer up that product was arrived at.
Remember that scene in the movie, Minority Report, when Tom Cruise was walking into the Gap store and the store's cameras were reading his eyes and offering him personalized ads and even clothing suggestions? That is the future - both literally and figuratively - for consumers. The irony of course in that scene is that Tom Cruise had just had his eyes replaced with another set from a dead person so that the police would not be able to successfully track him. If you recall the scene in the movie Cruise had had a set of eyes from a Japanese man, so the ads (and the accompanying hologram lady) was personalized for him. ("Welcome back to the Gap, Mr. Yakamoto. How did the assorted tank tops work out for you?"). This is approximately the state where we are at now with personalization, all due to the rudimentary way data is collected on us now as we move across mobile platforms online.
Most (rational) people agree that the Faustian bargain that the internet has offered us all in exchange for its low or zero cost is the trade-off for our data and small pieces of privacy. You would be hard pressed to find people willing to pay for the free service they have enjoyed for the last 10 or fifteen years, just so that they don't see any ads. What most of us object to really I think, is the misguided ads or offerings that waste our time and screen real estate. (Do I need to see ads for e-cigarettes if I am not a smoker?)
Big Data is what it's called but it might be better called 'Big Dumb Data.' At least for now. Yet, some companies are very rapidly moving up the pace of innovation and sophistication with the use of the resources that they are filling their Oracle databases with. Slowly but surely you can see the flashes of refinement happening, and you see a unique company or two take the lead with the information that they possess and truly differentiate themselves from their competitors. As I said, 5 years from now when we may even be at a point to be able to make sure it is indeed Mr. Yakamoto who is in need of some more tank tops when the pitch is made to him. And the only way that can be done is with data.
Tuesday, January 1, 2013
Monday, December 24, 2012
A gift to yourself this year? How about a better privacy profile?
A headline today in the Motley Fool's great online financial site entitled The Best Gift to Give Yourself This Year, made me think about what might really be a great gift to give yourself, and at little to no cost. How about the notion of enhanced privacy? Or really what we are talking about is more anonymity, especially online.
In the last year I have seen and have personally used a number of great technological tools and best practices to help minimize my exposure and vulnerability to excess data proliferation.
Now, I am no technological Luddite or privacy alarmist, and I believe in and understand how the Internet works and how the low-cost model has benefited the modern world thanks to advertising. Yet, I am sure you have all seen quite often in the press the exaggerated reviews about services and applications that if used on your smartphone, would threaten the very existence of Western Civilization!?!!. I benefit fro many of these applications myself, but we are very very quickly coming to the point where the value proposition is tilting too favorably in the other direction against regular consumers.
First up a couple of behavioral changes that you should consider adopting in 2013. For example, don't get in the habit of logging in to new applications or websites with your Facebook or Twitter or any other 3rd party credentials. I realize it is expeditious and convenient, but it allows not only the 3rd party site (Facebook, Google, Twitter, etc.) to continue to build a profile of you, but it lengthens the bread crumb trail of your actions and activities on the web. If you every want to disappear forever, you'll have a rough time of it since you left so many clues as to your possible whereabouts and past behaviour.
Second, start to take notice of new windows that pop-up in and around websites offering you the ability to control the cookie and ad choices that are shown to you. You can begin to be much more proactive about what cookies some websites are allowed to leave on your machine when you visit that site. Most European websites (and some of the more forward-looking U.S. sites) now offer up an express consent option when you visit the site for the first time, to control how the site will track you now and in the future. A great product from a company called Evidon which services up the "AdChoices' icon on some websites will allow you to proactively opt-out of being tracked by hundreds of tracking companies with one click on a page on their website. Thru Evidon's Open Data Partnership (ODP), users can easily manage the profiles that different companies have created about them and their interests.
As for technology, and for the more paranoid among us, I have been using a browser called Tor lately that really hides or disguises your activities online. The service works by 'bouncing' your communications around a distributed network of relays around the world you connect to which is run by volunteers (i.e. you, if you use the browser). Tor prevents someone from watching your Internet connection and building a profile on you via the sites you visit. An added benefit is that the browser prevents the sites you visit from learning your actual physical location, and it lets you access sites which are blocked - which your IT guys at work will no doubt love. (as I was writing this blog, I fired up the Tor browser and the IP address that my machine was displaying to the outside world made it appear as though I was in the Czech Republic. Good stuff!)
This is just a short list of technologies and behavioral changes that you can easily adopt to improve your privacy posture in the new year. Almost all of these services and activities are free. In most cases, the cost is nothing more than a few extra minutes of your time to set a profile or check a box on a website. Generally, there is nothing to pay for. All you need to do is start to pay attention.
Happy Holidays and Happy New Year!
In the last year I have seen and have personally used a number of great technological tools and best practices to help minimize my exposure and vulnerability to excess data proliferation.
Now, I am no technological Luddite or privacy alarmist, and I believe in and understand how the Internet works and how the low-cost model has benefited the modern world thanks to advertising. Yet, I am sure you have all seen quite often in the press the exaggerated reviews about services and applications that if used on your smartphone, would threaten the very existence of Western Civilization!?!!. I benefit fro many of these applications myself, but we are very very quickly coming to the point where the value proposition is tilting too favorably in the other direction against regular consumers.
First up a couple of behavioral changes that you should consider adopting in 2013. For example, don't get in the habit of logging in to new applications or websites with your Facebook or Twitter or any other 3rd party credentials. I realize it is expeditious and convenient, but it allows not only the 3rd party site (Facebook, Google, Twitter, etc.) to continue to build a profile of you, but it lengthens the bread crumb trail of your actions and activities on the web. If you every want to disappear forever, you'll have a rough time of it since you left so many clues as to your possible whereabouts and past behaviour.
Second, start to take notice of new windows that pop-up in and around websites offering you the ability to control the cookie and ad choices that are shown to you. You can begin to be much more proactive about what cookies some websites are allowed to leave on your machine when you visit that site. Most European websites (and some of the more forward-looking U.S. sites) now offer up an express consent option when you visit the site for the first time, to control how the site will track you now and in the future. A great product from a company called Evidon which services up the "AdChoices' icon on some websites will allow you to proactively opt-out of being tracked by hundreds of tracking companies with one click on a page on their website. Thru Evidon's Open Data Partnership (ODP), users can easily manage the profiles that different companies have created about them and their interests.
As for technology, and for the more paranoid among us, I have been using a browser called Tor lately that really hides or disguises your activities online. The service works by 'bouncing' your communications around a distributed network of relays around the world you connect to which is run by volunteers (i.e. you, if you use the browser). Tor prevents someone from watching your Internet connection and building a profile on you via the sites you visit. An added benefit is that the browser prevents the sites you visit from learning your actual physical location, and it lets you access sites which are blocked - which your IT guys at work will no doubt love. (as I was writing this blog, I fired up the Tor browser and the IP address that my machine was displaying to the outside world made it appear as though I was in the Czech Republic. Good stuff!)
This is just a short list of technologies and behavioral changes that you can easily adopt to improve your privacy posture in the new year. Almost all of these services and activities are free. In most cases, the cost is nothing more than a few extra minutes of your time to set a profile or check a box on a website. Generally, there is nothing to pay for. All you need to do is start to pay attention.
Happy Holidays and Happy New Year!
Wednesday, December 5, 2012
"Secure data access in a mobile universe" - Interview with the Economist Intelligence Unit
I was recently interviewed by a journalist, Lynn Greiner, who was
working on a paper for the EIU and we talked about data security, mobility and the ever-common phenomenon of BYOD (bring Your Own Device to work).
The full white paper is here (http://tinyurl.com/a76vfow) but here are some excerpts:
The full white paper is here (http://tinyurl.com/a76vfow) but here are some excerpts:
Preventing
the data from being stored on a mobile device at all is another
strategy. Al Raymond, vice president of privacy and records management
at Aramark, a US foodservice supplier, says authorised users who need to
access company information remotely do so over a secure virtual private
network (VPN) from their laptops or
mobile devices. No data other than email are stored on the device
itself, making it relatively easy to protect corporate data assets
should the employee leave, or lose the device.
Some
companies that have BYOD policies expect executives and employees to
make sure they have necessary software on their devices, at their own
expense. Others reimburse all or part of the cost of programmes required
specifically for business. Proper configuration and good usage
practices must be monitored and enforced
centrally, Aramark’s Raymond says, adding that regularly reinforced
security awareness training also keeps secure data access fresh in
employees’ minds.
Aramark’s
Raymond says his company takes an alternative approach to
device-centric mobile security administration. Workers use the mobile
device purely as a viewer, leaving company data on Internet-connected (remove this) securely accessible corporate servers that do the heavy computing, and not on the device itself.
The
average cost of a corporate data breach incident hit US$7.2m in 2010,
according to the Ponemon Institute, a consultancy. That’s more than
double the average cost in 2005. Mr Raymond thinks that these figures
ring true, given the number and types of breaches, adding that there are
hundreds of small incidents each year and a few major ones that may hit
US$25m–US$500m.
Before the introduction of Aramark's formal mobile policy ten
months ago, people had no defined rules telling them what devices and
operating systems were eligible to be connected to the company network.
With the new policy, entailing role-based access and approved devices
and configurations, the company knows precisely who has access and to
which data. "It's no longer a wink and a nod," Raymond says. The higher the visibility of your program, the more likely it will be adhered to.
Mr.
Raymond says that, although his business doesn't require it, separate
environments for business and personal use are important, but if the
policies surrounding them, or any other security measures, are not
enforced, there will be issues. He says he is always surprised, when
speaking with his peers, at how much of security in large organisations
is just "smoke and mirrors". The words are there, the enforcement isn't.
Thursday, November 22, 2012
The Three Stages of Employee Awareness...Where are you?
On this Thanksgiving Day 2012, as we make efforts to be
aware of what we are grateful for, I can’t help but gravitate to other related
aspects of awareness – employee awareness. Specially, employee awareness
training and how it effective it is.
The other reason that this topic comes to mind is because I
am currently developing a new privacy awareness curriculum for my company. Like
every other developer of training, I am concerned about many things: the
delivery, the topics, the accessibility of the material, the level of interest
of the participant, the language I use, the vernacular, the jargon, and on and
on.
I think training practitioners are at a point that it is no
longer reasonable or practical to simply create a 90 minute training module
packed with every law, regulation, procedure and policy statement about the
topic in question, and rationally believe that it will have any impact on the
employee. In fact, recent studies show that the shorter (15-20 minutes), more
pointed training concepts that involve more interactivity with the viewer
result in better retention of the material, and ostensibly, better overall
compliance with your privacy, security or compliance objectives. I have also noticed
that a trend towards ‘gamification’ of training is getting a lot of press for
the way it mimics the participant involved in a video game. The idea is that
this level of interaction engages the viewer on almost of sensory level, thus
allowing them to fully embrace your curriculum, and ultimately your message.
I have a theory about employee awareness that involves three
stages of awareness. It is my opinion that a majority of employees move through
these three stages throughout their professional engagement and exposure to
training in general. You can also see how, as a developer of awareness programs
and as someone who is responsible for company privacy awareness overall, I am
very interested in not only how employees move through these stages, but how
quickly and efficiently.
The Three Stages of
Employee Awareness
Stage 1 of Employee awareness is what I term the “I want to
do the right thing” stage. Every employee (hopefully) comes to the organization
with the best and most honest of intentions in mind. What they may lack is an
understanding of what the right thing is – as your company defines it – and how
to go about doing it. This is where the
onus is completely on the trainer to create a program that lays out the
intentions of the curriculum in clear and unambiguous terms so that every level
of employee throughout the organization walks away with the right message.
Stage 2 of Employee Awareness is what I call the “Is this
the right thing?” stage. This level of awareness is where most employees in
most companies are. The assumption is that training has been given already or
that employees are somewhat aware of what they should or should not do as it
relates to say, data privacy, and are conscious of some degree of best practices.
This stage is also when employees are starting to exercise their knowledge and
e-mail or call me with what they think is the proper way to protect or disclose
data and what to just make sure it is correct. If your employees are reaching
out to you before they act, then you know that your awareness campaigns and
profile is starting to take root and pay dividends.
The last Stage of Employee Awareness is the “Employees just
do the right thing” stage. Since your
staff now knows what is and is not the proper way to handle, process, share or
store data, they no longer have to either wonder about it or ask you about it.
What you have done to raise the visibility of privacy or data security
awareness in your firm has now come full circle to bringing everyone up to the
level of consciousness that you have. Not many companies are at this level of
awareness utopia however. It takes a lot blood, toil, sweat and tears of
employee engagement to get to this point, but it is possible – regardless of
the industry or silo your company is in. And well worth striving for.
If your company is already in Stage 3 of Employee Awareness,
then you have something extra to be thankful for this year. ;-)
Thursday, November 1, 2012
What If Privacy Polices Were As Easy To Read As IKEA Instructions?
I was building a wardrobe closet from IKEA the other day
and I realized something remarkable after following the directions, page by
page - and there must have been at least 25 pages of directions. Though the
closet is over 9 feet tall and at least 8 feet wide, with hundreds of screws,
washers, shelves, frames, tracks and bolts, I was able to easily follow the
directions to a successful completion - and I am not very handy, let me say -
without the directions ever posting a single word. Everything, and every
page of instruction was a simple line drawing.
I began thinking about how other people with no privacy
background, interest or expertise feel when they look at what we do in the
privacy space. That is, how average users of websites and apps feel about the
privacy policies that they come across or, god forbid, ever dare to read. According to a recent study
released by the digital branding firm Siegel+Gale, most users of Facebook and
Google had fundamental gaps in understanding, even after reading the posted privacy
policies, of what the websites were saying in those policies or what they did
with customer information. Think about
what that says about the privacy profession and its ability to communicate a
coherent message!!? Can you imagine any other industry in which its primary user
base or target audience doesn't understand its products? Anyone you know buy a
bicycle and not know how to ride it?
Because of difficult to read and understand privacy policies, readers of those
documents walk away from the policy with no more understanding of what is
happening with their data then when they started. If that is the case, then you,
as the writer of that policy, have failed your customer.
Years ago, the privacy role was taken by the General
Counsel who was typically appointed the Chief Privacy Officer one day because
she had written the privacy policy sometime before. It goes without saying that
the document was probably a bog of legalese; a vague and deliberately obtuse read
that only served to cover the company's metaphorical ass. Then, someone in the
company heard that there was a Chief Security Officer in the building. Eureka! So
now he should also in charge of security along with privacy. (They are the same
things, no?). That worked out well for a while but then it was soon realized
that the CISO's primary duty is to protect data so that no one gets to it. That
didn't do the marketing folks any good, let alone customers who wanted control
over their own data.
As time has elapsed, consumers matured, and our
appreciation of the treasure trove that we call our database of customer and
employee data begins to rise, I believe that the role of the privacy
professional is now converging to a middle ground. The role is moving from the
polar extremes it previously inhabited towards an individual with a skill set
that is a confluence of three core proficiencies: first, an appreciation of the
law, second, respect and understanding of security, and finally, a
practitioners eye for the use of data and real world operational understanding
of the business. When a privacy policy is written by someone with this kind of
resume, an average user who reads it will know exactly what the company is
doing with the data they collect and use. Maybe, someday, that privacy policy
will be as easy to follow and understand as the directions for building an IKEA
closet.
Monday, October 29, 2012
Privacy's Double-edged Sword - Protecting Good and Bad Guys
In our 'always on and connected world' there is certainly enough evidence of how the respect of privacy is a good thing. There are enough of my peers in the privacy space who have taken it as their God-given duty to protect us from ourselves, as if God spoke to them like He did to Abraham.Yet the tendency towards paternalism aside, and as much as the cry for more privacy protects us good citizens, it also protects some bad guys as well.
In a the recent decision from Canada, the Supreme Court of Canada indicated that employees may have a reasonable expectation of privacy for information that may reside on work-issued computers, at least where personal use is either permitted or reasonably expected. Sounds simple enough. But here is the nuance.
A high school teacher had a school-issued laptop in his possession that he was permitted to use the for incidental personal purposes as well . As a system administrator, he was also able and responsible for policing student use of their school-issued laptops, and could therefore access hard drives of student laptops.
The school had a robust Acceptable Use policy that stated, among other things, incidental personal use of laptop was allowed; teachers’ email correspondence was private, subject to certain conditions; all data and messages generated or handled by school hardware were the property of the school, and, finally, that users should not expect privacy in their files.
While an IT staff member was performing some routine maintenance on the teacher's machine, he found a folder on the laptop that contained nude and partially nude photographs of a female student . The technician told the school principal and the photographs were copied to a CD. The principal seized the laptop, and turned both the laptop and the CD over to the police. The teacher was then subsequently charged with possession of child pornography and unauthorized use of a computer.
The reason the Supreme Court interceded is because the police who reviewed the laptop, did so without a proper search warrant. They ruled that the teacher did have a reasonable expectation of privacy in his use of the laptop, as the school policy indicated that users were allowed some incidental use of the machine.
Though the Court did not rule specifically on the issue of how and if employers can monitor their employees and employees use of company or school owned equipment, the matter does highlight that the umbrella of privacy does protect both good guys and the bad guys from the same rainstorm. Though the teacher's behavior and activities indicate some deplorable and nefarious activities that are wholly inexcusable in any context, one must also recall that Lady Justice is most often depicted with a set of scales suspended from one hand, upon which she measures the strengths of a case's support and opposition. If you look closely, you will also notice that she is also often seen carrying a double-edged sword in her other hand, symbolizing the power of Reason and Justice, which may be wielded either for or against any party. Good or bad.
In a the recent decision from Canada, the Supreme Court of Canada indicated that employees may have a reasonable expectation of privacy for information that may reside on work-issued computers, at least where personal use is either permitted or reasonably expected. Sounds simple enough. But here is the nuance.
A high school teacher had a school-issued laptop in his possession that he was permitted to use the for incidental personal purposes as well . As a system administrator, he was also able and responsible for policing student use of their school-issued laptops, and could therefore access hard drives of student laptops.
The school had a robust Acceptable Use policy that stated, among other things, incidental personal use of laptop was allowed; teachers’ email correspondence was private, subject to certain conditions; all data and messages generated or handled by school hardware were the property of the school, and, finally, that users should not expect privacy in their files.
While an IT staff member was performing some routine maintenance on the teacher's machine, he found a folder on the laptop that contained nude and partially nude photographs of a female student . The technician told the school principal and the photographs were copied to a CD. The principal seized the laptop, and turned both the laptop and the CD over to the police. The teacher was then subsequently charged with possession of child pornography and unauthorized use of a computer.
The reason the Supreme Court interceded is because the police who reviewed the laptop, did so without a proper search warrant. They ruled that the teacher did have a reasonable expectation of privacy in his use of the laptop, as the school policy indicated that users were allowed some incidental use of the machine.
Though the Court did not rule specifically on the issue of how and if employers can monitor their employees and employees use of company or school owned equipment, the matter does highlight that the umbrella of privacy does protect both good guys and the bad guys from the same rainstorm. Though the teacher's behavior and activities indicate some deplorable and nefarious activities that are wholly inexcusable in any context, one must also recall that Lady Justice is most often depicted with a set of scales suspended from one hand, upon which she measures the strengths of a case's support and opposition. If you look closely, you will also notice that she is also often seen carrying a double-edged sword in her other hand, symbolizing the power of Reason and Justice, which may be wielded either for or against any party. Good or bad.
Sunday, September 30, 2012
The Arms Race of Privacy Laws
This month
Texas became the latest state to either introduce its own breach notification
law, or modify its existing one. The Texas House
Bill 300 is an update to the Texas breach law already on its books. The law is
amongst the now 46+ disparate laws on the books that businesses in the U.S.
must navigate and be expected to comply with if they do business in more than one
state, or posses the information of a resident of more than one state. I imagine
that this is the kind of convoluted (and expensive) business environment that
companies in Europe had to deal with before the European Union codified most of
their laws.
A
cursory reading of the Texas law's provisions makes it appear as though companies
now have additional obligations in Texas. For example, the law states that you
must train employees on Personal Health Information within 60 days of hire,
rather than simply on an annual basis. (Damn your existing training regime that
is done annually for administrative ease or convenience!) As well, if your company
thought of yourself as only a business associate in Texas, well guess what?
Voila! Even if you were simply acting as a 'business associate' for a client,
this law now considers you a 'covered entity' under their definition.
Lastly,
the penalties under this law appear to be particularly egregious. The big
difference here versus HITECH is that House Bill 300 can penalize a company
everyday for each day they fail to notify patients of a privacy incident.
This
precarious situation for large and small business alike is the Congress;
failure to act in passing a national law, superseding every state law. When
states get impatient for the Fed to act they take matters into their hands. Many
times, especially in the case of privacy and security law, they do it with the
best intentions. Unfortunately, we often get a morass of confusing and
contradictory pronouncements that are either unbelievable overreaching in scope
or just simply too complex and punitive for a small company to attempt to
comply with. This 'arms race' of states passing their own laws sometimes results
in laws so esoteric and narrow that it may lead a small company to just ignore,
or rationalize that it is easier and cheaper to pay any fines associated with
non-compliance than to try and comply with the law
.
And
then sometimes you get laws that appear (at least to me) to be only knee-jerk
reactions to high profile cultural events like texting while driving. Granted,
this is a dangerous trend and equally dangerous activity that is a negative by-product
of modern technology. It makes sense to not do it in practice, But to pass a
law against prohibiting texting while driving is, to me, pure demagoguery. So,
you can't text while driving, but you can still eat, drink coffee, change the stations
on your radio, program your GPS sing, turn around the slap your kids, put on
make-up, and on and on... or what about the recent phenomenon of companies
asking employees for their Facebook passwords. I am not sure about your company,
but since when did this become such a national epidemic, like SARS, or Swine
Flu? Is this 1950 and employers are asking employees if they are now or have
ever been a member of the Communist Party?
Sure, I believe it happens and it is wrong, but do we need to create and
pass specific
laws against it? Don't our legislators have anything better to worry about?
Yes,
all of these activities generate press and show citizens that their generally do-nothing
members of Congress are actually doing something. (I like to recall of Hemingway's
great line here: "Don't confuse motion with action."). But the
outcome is just another law layered on top of all the other laws that companies,
large and small, must deal with to be in compliance. The real ARMS race of nuclear
arms proliferation ended between the U.S. and Soviet Union ended in the 1970's
with the SALT I and II Talks. Maybe lives aren't at stake here as they were
with ICBM missiles, but maybe we can convince Congress that the situation for privacy
and security law compliance is dire enough to warrant a SALT talk for the
prevent and further proliferation of these one-off, ad-hoc laws and end this
arms race too.
Subscribe to:
Posts (Atom)