Monday, July 30, 2007

Very Handy Privacy Calendar

Kudos and thanks to for maintaining this very handy calendar of privacy-related events.

Sunday, July 29, 2007

ID Theft Insurance: an update

A handy update on the state of ID theft insurance can be found in this article on the Canadian Underwriter web site.

Tuesday, June 26, 2007

Teenage Tracking Systems: do kids have limited privacy rights?

Noticed this article recently on tracking systems that help parents keep tabs on teen drivers. As my friends will confirm, I was trying to put one of these together myself about 12 years ago. I happen to think it might have altered the course of my daughter's life if I could have mated GPS to CDMA or GPRS. And I think anyone who has a teenager will understand the desire to track their travels. But it raises interesting questions (a great way to spark classrooom discussion of privacy). For example, at what point does a person achieve their right to privacy?

Some people will be eager to point out that, legally speaking, in the United States, driving is a privilege and not a right. And no right to privacy exists as to your location when in public. But still, I think some teenagers would be inspired to research this question if you told them they were going to be tracked.

Monday, June 25, 2007

Are People Quitting Google in Droves? Time will tell

After pondering aloud in my last post about consumer attitudes to Google I did a little digging and found this on the "browser blog" at

Google corners nearly two-thirds of US search market

The latest search market share numbers are in from Hitwise: in the four weeks ended March 31st, Google (GOOG) racked up fully 64.13% of all US searches. That’s up more than 10% since March 2006, and, if trends hold, Google’s share will pass the two thirds mark by August. In the same period, Yahoo (YHOO), Microsoft (MSFT), and Ask (IACI) all lost share. As the old Wall Street hands like to say: “Liquidity begets liquidity.”

Clearly, this is not good news for the search also rans, particularly as it covers a period when all of them made major and costly improvements to their search engines. for example, rolled out an impressive local search service in 2006 and also greatly improved its image searching, and yet its share declined nearly a half a point, to a fragile 3.48%, in the course of the year.

Conventional wisdom has long held that Google is vulnerable to vertical attacks, i.e. search engines that carve out category niches. The new Hitwise data suggests, however, that Google is actually gaining influence in valuable verticals...

That post was dated April 11 and Google was at 64.8% by June according to the blog at Hitwise, readable here. I will keep watching these two sites to see if there is any evidence of a prviacy-fear induced slowdown in Google growth. If Google does not pass the 2/3 mark by August, look for Privacy International to claim some credit.

Wednesday, June 20, 2007

Google Brain Implants: Not yet, likely never

You have to love the opening of this recent article about Google, sourced from Reuters, but written up by New Zealand TV:

Most people missed the announcement about how Google Inc. wants to burrow inside your brain and capture your most intimate thoughts. That's because it never happened. But Google, the world leader in web search services, is the focus of mounting paranoia over the scope of its powers as it expands into new advertising formats from online video to radio and TV, while creating dozens of new internet services.

Interestingly the article -- available online here -- quotes two people at Google who work on privacy. A lot of the recent Google/privacy stories, sparked by the Privacy International press release about its interim report, give the impression that nobody at Google bothers with privacy. The NZ story quotes Nicole Wong, "the Google attorney who oversees a team of lawyers who consider privacy and other policy issues that go into the making of each product," and Peter Fleischer, "Google's global privacy counsel."

So it sounds like Google has a lawyer devoted to privacy and another attorney leading a product review team that has privacy as part of its remit. This is clearly not enough for some privacy advocates and so, if I was Google I would very publicly create a job entitled Chief Privacy Officer and then hire someone with a good industry reputation for the post. That might allay the fears of privacy advocates. In the meantime I am keeping a watch out for any surveys that indicate consumers have any privacy fears that are keeping them away from Google.

Monday, June 18, 2007

The Actual Interim Privacy Rankings: Is Google really hostile and aggressive?

With so much chatter about the "Google Sucks at Privacy" story put out by Privacy International, I thought it would be useful to provide a link to their source document: interimrankings.pdf . Here's a quote:

We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google's approach to privacy that go well beyond those of other organizations.

I have to say that the use of the word "hostilities" in this context is surprising. I've been involved in some pretty serious privacy and security cases and nobody was accused of hostility in their approach to privacy. For example, I was involved when the Federal Trade Commission brought charges against Eli Lilly for violating privacy. I helped Microsoft comply with certain requirements imposed by the FTC to settle charges arising from security and privacy issues. But hostilities? Here's more:
While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy [my emphasis]. This is in part due to the diversity and specificity of Google's product range and the ability of the company to share extracted data between these tools, and in part it is due to Google's market dominance and the sheer size of its user base. Google's status in the ranking is also due to its aggressive use of invasive or potentially invasive technologies and techniques.

If Google is guilty of "aggressive use of invasive technologies and techniques" where are the regulators and politicians and consumer outrage? Surely Google hasn't bribed them all.
Google's increasing ability to deep-drill into the minutiae of a user's life and lifestyle choices must in our view be coupled with well defined and mature user controls and an equally mature privacy outlook. Neither of these elements has been demonstrated. Rather, we have witnessed an attitude to privacy within Google that at its most blatant is hostile, and at its most benign is ambivalent. These dynamics do not pervade other major players such as Microsoft or eBay, both of which have made notable improvements to the corporate ethos on privacy issues.

I feel compelled to add a phrase to that last sentence: "after consumer outcry." Microsoft was dragged before the FTC and eBay was heckled by members. I'm not aware of widespread consumer outcry over Google. So, I suggest you read the above-referenced "interim" document and decide for yourself. Note that the report was compiled
...using data derived from public sources (newspaper articles, blog entries, submissions to government inquiries, privacy policies etc), information provided by present and former company staff, technical analysis and interviews with company representatives.

Because the 2007 rankings are a precedent, Privacy International will regard the current report as a consultation report and will establish a broad outreach for two months to ensure that any new and relevant information is taken into account before publishing a full report in September.

Does Privacy International make its case or is it really just trying to force Google into a dialogue by holding out the hopes of a less critical final report?

Saturday, June 16, 2007

Privacy Watchdog Tags Google Worst on Web

As you have probably noticed, a UK-based group called Privacy International has ranked Google dead last among a dozen major Internet-based companies in terms of protecting users' privacy: Privacy Watchdog Tags Google Worst on Web.

The sheer size of Google, coupled with the company's ability to share user data between its various subsidiaries, led Privacy International to bestow the [dubious] distinction on the Net's biggest search engine.
This rank ranking might also have had a tiny bit to do with the fact that Privacy International seems to have a really bad relationship with Google. PI is the same organization that put out a press release in 2004 headed "Privacy watchdog vows to bring Gmail to heel." Perhaps not surprising then that PI has not been able to have much of a conversation with Google (which it sued in 16 countries). When PI asserts that Google has an “entrenched hostility to privacy,” one wonders if PI doesn't have an entrenched hostility to Google.

I doubt PI have won any friends within Google with this headline-grabbing "worst of the worst" verdict. Yet one does wonder what exactly Google thinks about privacy. You can get some fascinating insight over at Ray Everett-Church's Privacy Clue.

And I doubt that consumers in general will be avoiding Google in droves because of what PI says. After all, as stated in my last post, consumers are more concerned about “environmental issues, followed by pension and other retirement benefits, and health care.”

Monday, June 11, 2007

In Corporations They Don’t Trust - New York Times

An interesting angle on the privacy debate was revealed in a piece by Paul Brown in the New York Times a couple of days ago. The gist of the piece was that "senior executives really do not have a clue." Brown cited a study in the McKinsey Quarterly, the business journal of McKinsey & Company, that found “a trust gap between consumers and global corporations, as well as a lack of understanding among business leaders about what consumers really expect from companies.” For example, when asked what three concerns would be most important to them over the next five years,

“Executives predicted consumers would put job losses and offshoring first, followed by privacy and data security, and the environment...[whereas]...almost half of the consumers picked environmental issues, followed by pension and other retirement benefits, and health care.”

In other words, CxOs think consumer concern about privacy and data security is greater than it really is. Why would this be, apart from the obvious generalized conclusion that CxOs are out of touch with consumers? I suspect it has something to do with the relentless pressure from security and privacy advocates as well as extensive negative media coverage of security breaches that expose private data. And you might add to that the increasing likelihood that such breaches will be followed by lawsuits, some of which may name CxOs. They may be out of touch with consumers but they are very likely to be in touch with their own self-interests.

Thursday, May 31, 2007

Is the Web Built on a Lack of Privacy?

There are some interesting observations in this TimesOnline article triggered by a BlueCross privacy breach: The web is built on a lack of privacy. The writer is Jonathan Weber, the founder and editor in chief of NewWest.Net, a regional news service focused on the Rocky Mountain West in the United States. As co-founder and editor in chief of the Industry Standard, Mr. Weber is no stranger to the vagaries of the digital age. I'm sure many of us share his righteous indignation:

A few weeks ago I got a letter from Empire Blue Cross, my one-time health insurer, explaining that there had been an unfortunate incident regarding my personal information (and that of my wife and children too, as it turned out). The letter explained at some length how the company had rigorous policies to insure the confidentiality of patient information, requiring that such information be encrypted and so forth. But the company didn't take the trouble to ensure that it's high-minded – and legally required – policy was actually being implemented, and a CD containing unencrypted personal information on many people, including me, had gone missing.
(To digress from privacy for a moment, this letter sounds like it was written by the same BlueCross hack that penned a recent letter to my wife and I informing us that, as a result of cost savings, increased efficiency, and improvements in health care, our monthly premium was being increased by 20%.)

Weber goes on to muse about the potentials for abuse now that so much data about us is stored somewhere out there, by somebody over whom we have scant control (often somebodies who themselves have less than complete control). Yet at the same time, it is our willingness to share information about ourselves that has enable many features of the web, not least of which is the amazing amount of valuable content that is dished up for free (where 'free' equals 'in return for knowledge about the person accessing the infrormation').

The extent to which people accept, or feel comfortable with, this state of affairs varies greatly, as you might expect (particularly if you have listened to my podcast on The Privacy Meter--plug, shameless plug). This is reflected in the comments on the article which display a range of privacy attitudes. They include the infamous quote from Scott McNealy, founder of Sun Microsystems: "You have no privacy. Get over it." (Note: This quote is almost always used out of context but has become a handy verbal marker, serving as everything from a rallying cry or portent of end times, depending upon the quoter's point of view).

The fact is, this stuff is complicated. Some people are more 'open' about their lives than others but you can be very 'open' and still object to careless handling of your data. On the other hand, some people who like their right to privacy have a tendency to confuse it with a right to anonymity, which gets even less of a mention in the Constitution and Bill of Rights than privacy.

There is also a non-trivial socio-economic element to choices about personal privacy. Some people can afford to let the world know all about them without fear of the economic consequences. As someone well-established in his profession, I don't see that much harm would come to me from announcing to the world that I am gay (I am not) but other people fear, sometimes with very real justification, that they will be discriminated against if some of their private choices are made public. The U.S. military's "Don't ask, don't tell" policy towards homosexuality would seem to be a case in point. (During the first 1o years of this policy some 10,000 members of the armed forces were discharged for being homosexual--suggesting that the policy's intent, respect for the privacy of military personnel, was somehow not met).

The whole area of medical privacy, which is where this post started, is a massively complex can of worms. Suppose I present myself to my doctor with a huge bruise on my leg. If the 'fact' that this bruise was caused by me skydiving (it was not) gets into 'the system,' then the cost of various insurance policies involving me could go even higher (yes, there is a data bank somewhere that stores information on your lifestyle and yes, insurance companies do consult it). In other words, if you're Bruce Willis and command $20 million per movie, you can do and say just about anything you like and not care who knows it. The rest of the world needs, for economic reasons, to be, to varying degrees, more circumspect.

Bilking the Elderly, With a Corporate Assist

Wonder why the American public has a dim view of corporate America? Read this article: Bilking the Elderly, With a Corporate Assist. First appeared in the New York Times.

Big name data firms doing business with crooks who target the elderly. And some banks less than eager to put a stop to abuses. Why aren't the privacy police all over this?

Sunday, May 20, 2007

Get Your Privacy News Here!

Looking to stay current with privacy news? I thought it might be useful to list some of the sources I find helpful:
Privacy Digest
Privacy section of Network World
ComputerWorld's privacy section

Ray Everett-Church's Privacy Clue
Electronic Privacy Information Center (EPIC)
DM News

Yes, the DM in the last entry does stand for Direct Marketing and I am aware that some privacy purists consider direct marketing people to be the enemy, but even if you think that way--which I don't--doesn't it make sense to know how the enemy sees things?

p.s. You can also get daily privacy headlines at

Friday, May 18, 2007

TJX: Data breach damage $25 million and counting

Here is a pretty good reason to make sure your company is doing a good job of protecting customer data: TJX: Data breach damage $25 million and counting.

That's right, according to SearchSecurity, the bottom line for TJX Companies Inc. took a big hit in the first quarter of 2007, thanks to a $12 million charge tied to the security breach that exposed at least 45.7 million credit and debit card holders to identity fraud. In total, the breach has cost the company about $25 million to date. And that doesn't include the cost of customers who decided to shop elsewhere.

Thursday, March 22, 2007

TJX Faces Suit From Shareholder: Cost of privacy breach expands

You can get an idea of how much trouble a privacy breach can cause from this article: TJX faces suit from shareholder. As predicted by myself and other security experts at least ten years ago, shareholders are suing over a security breach that hurt the value of their stock.

Thursday, February 15, 2007

The Privacy Meter: A new podcast from Stephen Cobb

Where do you stand on privacy? Are you 'open' or 'closed'? And how does that affect your company? Is privacy a liability or an asset. Check out the podcast and follow along with the matching slides located here.

Tuesday, February 6, 2007

TJ Max-imum Impact: The big name in privacy breaches

After 54 million private records exposed in 2005, 48 million in 2006, it only took one month, January, for 2007 to set records. The TJX Companies experienced an "unauthorized intrusion" into computer systems that process and store customer transactions including credit card, debit card, check, and merchandise return transactions. While the intrusion was discovered mid-December 2006, it was not announced until January, 2007, and the numbers are staggering:

  • 45,700,000 credit and debit card account numbers
  • 455,000 merchandise return records containing customer names and driver's license numbers
Apparently this was the result of deliberate hacking, not just a badly configured web server or stolen laptop. But it puts 2007 on track to be the worst year ever for security breaches. Check out the Privacy Rights Clearinghouse chart for 2007.

Wednesday, January 10, 2007

Happy New Year! Get your free privacy e-book here

No catches, no gimmicks, no kidding...I have made the electronic version of my privacy book available at no charge. You can download it in Adobe Acrobat format from this page, no registration required, then read it on your computer (or PDA if your PDA does Acrobat documents).

You can distribute it within your company to enlighten your employees. Use it to train them on privacy. Send a copy to the head of marketing to help him get a clue about privacy. About the only things you can't do with it are:

  1. sell copies of it,
  2. change it,
  3. claim you wrote it,
  4. print it out.
Why am I doing this? Well, there is going to be a new edition of the book some time this year (late this year in all likelihood). Any feedback or suggestions I get from people who read the current edition will be helpful in that project. Besides, if people find the electronic version useful they may order physical copies (from Atlas Books or on Amazon).

Happy New Year!