Photo credit: Flickr/webhamster
At the RSA Conference in San Francisco this past week, there were plenty of sessions discussing ongoing data privacy developments. Although the recent Target incident was a hot topic, the panel and keynote session discussions were not just about breaches.
From questionable sharing of customer data with other companies, to using metadata in not so obvious ways, to tiny new camera technology that secretly records people, to governments who mine "big data" to stop terrorism, the news was mixed, with typical statements like:
“We need to move from an environment of liability to accountability.”
“This topic is really about values and doing the right things with data for customers.”
“Ask: Does corporate management truly care about morality and ethics - not just what is legal or what they can get away with?”
Several privacy experts described the need for building trust with customers and not just privacy rules that comply with legally-defendable policies.
Battleground issues seemed to be about whether companies not only know what you are doing or where you are physically located (now), but do they keep track of where you have been? If yes, for how long? Is that monitoring clearly spelled-out to customers in their policies? How easy is it to opt-out? Or, our company actions in multiple-page legalese statements that no one reads?
There were many discussions about the need to have clarity from senior executives regarding how far data collection products push the envelope regarding what is possible, versus what is ethical with data. There will always be someone in every industry who goes farther with data to challenge the status quo.
A few panelists even admitted, “I wouldn’t want to be tracked in these ways (that our competitors use) personally, but we know those other companies are doing certain things. Management often believes we need to keep up.”
The overall outlook was not very positive in the near-term. There was even a plea for some security pros to move over to become privacy professionals to help champion causes. One presentation stated that current approaches are not working, with a sense that security protocols, cyber regulations, compliance rules and more have failed us.
Another key question was whether privacy can still “save the day” on end-user data - in areas where cybersecurity has failed us.
The goal: clear ownership and control of data by consumers. If that means “opt-in” controls, which most speakers admitted was a bad word in many corporate circles, then so be it.
Recent Headlines Demonstrate Ongoing Privacy Enforcement Problem
Top news developments over the past week reveal why alarms are going off around the world within some privacy organizations. Advocacy groups are calling for new protections to be enacted to protect the sharing of citizen data.
At the same time, questions are being raised regarding law enforcement’s capability to enforce privacy laws that are already in place. There are thousands of examples of misuse of new technologies to violate laws that exist today.
For example, consider:
1) Someone secretly (and illegally) records the Supreme Court in session – and the video show up on YouTube. Here are some of the facts:
• The group 99Rise.org, which supports campaign finance reform, posted the video of Wednesday's proceedings on YouTube as part of a protest over the issue.
• No electronic devices, or still or video cameras are permitted in the court's public sessions.
• All spectators, including members of the media, are screened with magnetometers at the entrance to the ornate courtroom.
• There was no immediate explanation of how a camera was smuggled past security.
2) Millions of Yahoo webcam images are intercepted by GCHQ (the United Kingdom (UK) equivalent to the National Security Agency in the USA).
• 1.8m users targeted by UK agency in six-month period alone
• Optic Nerve program collected Yahoo webcam images in bulk
• Yahoo: 'A whole new level of violation of our users' privacy'
• Material included large quantity of sexually explicit images
3) Meanwhile, data is freely given to social media sites by most end users, without users understanding the real impact. However, it is also true that surveys reveal that most people agree with this open book approach – for now.
This article describes one example of this social media trend:
…On one level, many of us broadcast our own photos and videos, reveal our relationship statuses, religions and political preferences, and post our job histories. These kinds of personal details are widely shared – and released under our control. However, there's another level of sharing when we become active participants, engaging with social media sites that encourage us to "check in" at various hotspots or connect with other users via our location. We give the power to watch and manage our information to someone else, and prove we're OK with that.
We obsessively check Facebook and Twitter, share photos on Instagram and Snapchat, and message via Google+ Hangouts and Path. It has become a normal – and somewhat preferred – form of communication among Gen-Yers. But far too many social media apps now go a step further and help others pinpoint where we are – on a map, with a time stamp. For some, it's an accepted, though annoying, form of privacy invasion since social media scratches an itch we have to keep tabs on our friends. But for others, it's all a game….
Can social media companies be trusted regarding privacy controls?
Sen. Ed Markey, D-Mass., sent a letter to FTC Chairwoman Edith Ramirez on Wednesday asking the commission to examine Facebook's changes for possible privacy violations.
Also discussed, overseas news like, France recently fined Google for privacy violations.
Similar charges against Google were made in the US in a class-action lawsuit.
Some news organizations have encouraged users to quit using social media sites, but this seems draconian to most people online. So what are some alternative answers?
Possible Privacy Solutions?
With privacy policies changing all the time – some new companies are offering services to help keep social media privacy settings up to date and easy to use.
One such company is: Mypermissions.com. Here is a sample message from their website:
“We have built a suite of security tools for protecting personal privacy online, including a free mobile app for iOS, Android and Kindle Fire, and a Web browser plugin that gives users real-time alerts whenever a new application connects. MyPermissions monitors all connected applications across social networking sites including Facebook, Twitter, Google, LinkedIn, Dropbox and more. We give users control over the data that apps are able to access. MyPermissions protects users from unknowingly sharing photos, documents, locations, contacts, emails, or any other sensitive information, and allows them to approve or revoke what apps access their data, and how.”
But a question was raised about whether you can even trust these new new privacy portals which aggregate your data from multiple places. It all comes back to who you can trust online regarding protection of your privacy.
In summary, the many different messages on privacy at the RSA 2014 conference in California provided a mixed picture. Leading privacy advocates were still hopeful in the long-run that doing the "right things" for customers would win-out as a best practice. This translated into clear options, better training and more benefits for customers who opt-in and allow their data to be used in new ways.
While data privacy is an evolving challenge in 2014, many privacy pros felt their company was doing a good job with customer data, but the industry overall was struggling.
Experts urged the audience to help others know what’s happening with their data online now. Users need to constantly be educated on how to control privacy settings. And let users opt-in (or opt-out) based on benefits to them.
One message was clear to attendees: There is plenty of work left to be done regarding privacy.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.