Saturday, November 23, 2013

Vint Cerf's not wrong, idea of privacy as anonymity may be an anomaly

Vint Cerf is someone for whom I have great respect, and a piece of advice: If you ever say anything in public about privacy, choose your words carefully. For example, if you say "Privacy may actually be an anomaly," then a lot of people will assume you said: Privacy is an anomaly. At which point they will stop listening and turn to Twitter to tell you how wrong you are.

I'm pretty sure that what you meant to say was that privacy, as a sense of being entitled to anonymity in all you do, is a concept born of the industrial age and the emergence of large cities where it was possible to achieve a level of anonymity unheard of in agrarian villages.

Do I think that particular concept of "privacy" is  sustainable? Let me preface my answer with a disclaimer: I am a paid up supporter of EFF and I am totally opposed to mass warrantless electronic surveillance and suspicionless physical stop-and-frisk.

But in my opinion, privacy as some people define it today, with a heavy emphasis on anonymity, is not sustainable. This is not because privacy is not a good thing or anonymity a bad thing. But the world has changed. Mass global travel. Complex virtual worlds. Huge online transaction flows. Ubiquitous mobile communication. This is a totally new world and not everyone in it is a good person.

We need to think about how we want privacy to work within this new world. A global digital economy cannot be sustained without trust and accountability, which require identity, and that requires sharing personal information.

For example, if I want to travel to another country I will be required to reveal a lot about myself in order to be granted entry. That's fine by me. And I want my government to know a lot about the people who come to my country. That doesn't mean I want my country to watch everyone all the time and hassle anyone who looks different, but all members of a society need to be onboard with the idea of transparency, without which we cannot have accountability.

I'm not sure if all of that was on Vint's mind when he was speaking, but I know what he means about villages because I've talked about this myself, since the last century. I was fortunate to spend the early years of the commercial Internet living in a small Scottish village (trying to use a dial-up modem over phone lines chewed by sheep did not feel fortunate, but other aspects of the experience made up for it). Of course, the early Internet went through a phase, alluded to by Glen Greenwald in a recent radio interview, where anonymity was not only possible but also liberating.

I won't go on about village life but just think of HIPAA today, then that village 20 years ago, where prayers were said in church on Sunday for people whose medical conditions were openly shared. Heck, you knew who'd seen the doctor that week because you'd watched him making house calls. A degree of privacy was available on demand, but acting anonymously was not easy, as our daughter discovered when neighbors told us where she he had been seen, and with whom.
I alluded to that experience when I published "Privacy for Business" in 2002 (that 240 page book is still available for free download as a .pdf). By 1999 it had become clear to me that digital access to information fundamentally transformed information. To put it another way, information is not just about facts, but also where they are stored and who can access them, plus the ease and speed of access. Telling Debbie at the village store my food preferences did not mean they entered a database. No computer recorded the fact that I had to run a tab at times when my royalty check was late.

On the other hand, when I moved back to a city I did not hesitate to get a discount card at the supermarket chain because frankly that type of tracking does not bother me (and will not unless I find someone is doing evil things with it). I was less willing to share my income information. But as I researched my privacy book I was struck by how many people equated privacy with being able to live anonymously, as though hiding everything you do from everybody was the goal of privacy. Fair enough I suppose, if that is what you mean by privacy, go for it, but then you have to explain why hundreds of millions of people around the world like to share details of their lives on Facebook.

In other words. we are now entering a very challenging period in human history, where the need to protect the citizens of the world from the murderous and unscrupulous will rub up against the desire of honest citizens to control the amount of information about them that is acquired, and by whom, and how it is used. Hopefully this friction will not be framed as a need to surrender some amount of privacy for some amount of security, but as a debate about how much transparency among persons and institutions is necessary to create trust and the wealth and benefits that trust brings to society.

Vint did not to say what another industry veteran once famously said: "Privacy is dead." That was Scott McNealy (someone else who hadn't read my advice about public statements on privacy). I happen to think Scott was trying to say what Vint was trying to say: It's all about present notions of privacy evolving in the light of massive technological change. Notions of privacy have existed since the dawn of humanity, but they have changed over time. Privacy as it was thought of in times past may not exist in the future. But then again, future iterations of privacy may evolve to be even better. A better future is what technology should be about, on that we can all agree with Vint Cerf.

Tuesday, April 30, 2013

Privacy, transparency, credentials and travel: When it could be good to be known

Have you ever waited in line at a security checkpoint thinking: "I wish these people knew exactly who I am, in which case they would know that I'm not a threat and could be waived through?" Maybe it's me, but I have that thought a lot, even though I know full well that the entity doing the controlling might want to know a lot about me in order to give me a free pass or expedited processing.

In fact, when it comes to the U.S. government, it already does know a lot about me. And you might be surprised to hear this, but I'm fine with that, so far.

If I were to place myself on the "privacy meter" on the right, I am very much an open book. This could just be a matter of personality, but as I was standing in line at passport control in Houston last week, it occurred to me that my embrace of transparency may also have something to do with my being an immigrant, a naturalized U.S. citizen, someone who chose to live in America (about 30 years ago).

I think there may be subtle ways in which my attitude to privacy differs from that of some other American citizens, namely, the ones who just happened to be born here and never left. As I sometimes say during presentations about privacy to American audiences: "Unlike most of you, I passed a test to be here." (This line gets a big laugh, even among very conservative audiences, which I take as a sign of the natural good humor and empathy of the American public.)

Sunday, April 28, 2013

Privacy still a vital concern for online businesses

In light of Privacy Awareness Week, I just wanted to remind folks about availability of my privacy book, the first few chapters of which are still a decent primer on privacy for business, despite being about ten years old. The book is free to download in handy .pdf format, searchable and with a table of contents. Here is the opening of Chapter 1:

Privacy is currently a subject of great concern to many consumers. You probably know this already—you are reading this book—but the point is worth emphasizing. No business today can claim ignorance of the importance of privacy as a concern among consumers, a concern that can have significant business impacts, from increased costs to revenues lost, from brand dilution to stock price depression. Every company that wants to interact with customers via the Internet should know that privacy concerns are the primary impediment to such interaction.
And more from later in the same chapter:
Privacy is a formidable challenge because nobody yet understands exactly what privacy means in today’s highly interconnected, heavily computerized, data-dependent world. About the best we can say is that privacy in the information age is a work in progress. In the same way that environmental risks continue to emerge as the dark side of the industrial/technological age, emerging privacy risks have been cast as the dark side of the information age. Whether or not you agree with that assessment, it is indisputable that many people see databases and computer networks as a threat to their personal privacy. Thus, to the extent that your business depends on access to, or makes use of, personal information, you will want to provide reassurances to those who need them, regarding the handling and protection of their personal information.

Interested? Why not download it now?

Privacy Awareness Week 2013

The Asia Pacific Privacy Authorities forum invite you to participate in Privacy Awareness Week (PAW) 2013 to be held from 28 April to 4 May. PAW is held each year to promote greater privacy awareness and the importance of protecting personal information.

Privacy Awareness Week 2013

Privacy Fail: Why someone without MS gets MS related marketing material

This NYT article of privacy caught my eye because for a while we thought my wife might have Multiple Sclerosis. So, like the person in the article, I also researched MS on the web. The article describes how a "search online for information about various diseases, including M.S., on a number of consumer health sites" lead to targeting as an MS sufferer (which has serious potential ramifications for health insurance, employment, etc.).

Provides a good window into the murky market in personal data, a lot of it wholly erroneous. Now consumers have to add "murky data markets" to "dark markets" and the "deep web" when it comes to areas of concern about electronic privacy, data security, and the power of free (to-do-harm) markets.
Personal Data Takes a Winding Path Into Marketers’ Hands -

Monday, June 27, 2011

National Data Breach Law Proposed : Massachusetts Data Privacy Law Blog

"So my question to ponder as I sail adrift in this storm is whether the Massachusetts requirement that businesses have a Written Information Security Program will be eliminated by the passage of this bill in its current state. You see, the proposed Federal law specifically says “supersede any provision of the law…relating to notification…” It doesn’t say any more or any less."

National Data Breach Law Proposed : Massachusetts Data Privacy Law Blog:

Friday, June 24, 2011

Compliance Guide: The New European Online Privacy Law

"The EU recently enacted its new Privacy and Electronic Communications Directive (the “E-Privacy Directive”), an important new policy directive establishing rules for the use of cookies for tracking/storing information on European users will change. Prior to the enactment of the E-Privacy Directive, website operators with customers in the EU were simply required to: (a) inform website users how they use cookies; and (b) provide “opt out” information.

Under the new rules, which went into effect on May 25th, 2011, cookies can only be placed on computers where the user has given their express consent, except in cases in which a website operator doing something that is “strictly necessary” for a service specifically requested by the user."

Compliance Guide: The New European Online Privacy Law: