Posted March 6th, 2009 Being the new-ish addition to the IdPS team is, well, an interesting place to be. Besides the requisite induction activities (ask me at Catalyst how you pick up the dry cleaning for a team who lives all across the country), I’ve been working with my peers on vastly different pieces of research. And being curious by nature, I’m loving the chance to not only dig into different topics, but also observe how different people go about the actual process of analyzing a topic or a market. One technique that Burton Group uses is Contextual Research (CR). Essentially, the CR process is meant to challenge an analyst’s knowledge of a subject and their associated preconceived notions as to what problems enterprises face and how they are facing them. It turns seasoned veterans, experts in the field, into beginners again. This is what practitioners of Zen Buddhism call “beginner’s mind.”
Here’s how it works in a nutshell. Kevin (seasoned vet) and Ian (newbie) identify a bunch of organizations to talk to. So far nothing out of the ordinary as compared to our other approaches to research. That being said, the conversations we have with these organizations is very different from typical research techniques. Instead of coming to the conversation with a fixed hypothesis that we want to prove out, we come to the conversation with nothing. No leading questions. No surveys. No preconceptions. Continue reading "Zen Mind, Newb Mind"...
Posted February 13th, 2009 When you think of “the usual” privacy risks you think of things like brand and reputation damage, fines, and increased regulations. You don’t think of jail time for executives. But jail time is exactly what some Google executives face if an Italian prosecutor has his way.
The arrest of Peter Fleischer, Google’s Paris-based Global Privacy Counsel, in Milan on January 23 stems from video that was briefly available on Google’s site in Italy. The video showed high school students bullying a classmate with Down Syndrome. Google took down the video in less than 24 hours after receiving complaints about it. The view of Milan’s public prosecutor is that permitting posting of the video for any period of time was a criminal offense. Fleischer and three other Google employees have been charged with defamation and failure to control personal information.
In our forthcoming report, Bob and I explore the contextual nature of privacy. Google clearly operates in multiple geographic and legal contexts. In the US, Google enjoys protections similar to those afforded “common carriers”. However, in Italy, Google is being treated as a content provider and not a content distributor, and thus is not receiving any such protection. Continue reading "Privacy risks get real"...
Posted February 5th, 2009
Nishant has commented on my post about federated provisioning. He has provided two different examples of federated provisioning. One of these, the advanced provisioning example, involves a company who manages its employees’ access to a service provider service via provisioning. In this case, Nishant agrees with me that provisioning of this sort is no different than provisioning the UNIX box down the hall.
But it is Nishant’s second example, the just-in-time provisioning example, which is a bit tougher. In this case, the enterprise and its service provider have a federation in place. Using SAML-based authentication, a new user attempts to access the service provider’s service. The idea (hope?) is that the service provider recognizes the new user request, provisions the user, and authenticates the user in the same conversation. Nishant does add a degree of difficult in this scenario as he ties the federation service to a provisioning service. Grabbing attributes from the SAML token, creating a SPML message, and handing that to a provisioning service is possible, but as a commentator points out this sort of interop isn’t spec’ed out so the heavy lifting is left to the service provider. And even if the service provider doesn’t want to directly link its federation and provisioning services, it still needs to grab that assertion attributes and create the account in the backend system.
Continue reading "Will the “real” federated provisioning please stand up?"...
Posted January 29th, 2009
I mentioned yesterday that Bob and I have just finished up some research on privacy. In this upcoming report, we stress the importance of establishing privacy principles and then using those principles to guide privacy practices. I happen to see this NY Times article (via Nishant’s Twitter stream) and had a bit of a Baader-Meinhof moment. The article talks about how social networking sites are giving their end-users more and more control over how information is disclosed. Giving users choice as to how their information is disclosed and used is important. Giving users meaningful choice as to how their information is used is much better.
One of the privacy principles that Bob and I examine in our report is the principle of Meaningful Choice:
Robbing others of the ability to exercise their free will is an affront to dignity; therefore we allow people to decide how we will use information about them. When presenting people with choices about how we will be allowed to use their information, we design easy-to-understand interfaces which reduce the possibility of confusing people, and we avoid creating “Hobson’s choice” situations in which people are forced to choose the lesser of a set of evils.
As an ex-interface and product designer, I am especially sensitive to usability and the principle of Meaningful Choice directly addresses this. Providing an end-user with a difficult to use privacy settings tool and then saying, “Well, we gave you choice as to how your information gets used” exploits the power imbalance between the service provider and the user. As the interaction between the user and the service provider become more and more valuable (moving from social networking to, say, electronic health records), such an exploitation is less and less acceptable. Continue reading "Putting privacy controls in the hands of your users"...
Posted January 28th, 2009
Today is International Privacy Day (and also National Data Privacy Day here in the USA and maybe where you are too). The day is set aside to celebrate the anniversary of the Council of Europe Convention on Data Protection. Put on your reading list for today both the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data as well as the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
It’s also, felicitously, the end of the quarter for us here Burton Group, which means that we are trying to wrap up the final edits of our reports and send them off for peer review. This quarter Bob Blakley and I have been researching privacy. We’ve talked to a variety of different kinds of companies of all sizes in many industries, and we’ve come away with a lot of lessons.
Two of these lessons are that privacy is deeply contextual, and that this contextual nature prevents privacy from being easily defined. Without a strict definition, though, how does an enterprise privacy team proceed? Can you write policies concerning something which means one thing in one setting and something different in another? It turns out, we think, that you can.
Principles.
I practice martial arts. Every martial art has a set of principles. Though these principles may differ, their use is the same. Principles guide practice. You practice your art in multiple contexts to prepare you for whatever may come. In each of those contextualized situations, your principles guide your response. (Synchronicity moment number one). Continue reading "International Privacy Day: Synchronicity"...
|
|
what others say