Imagine that Alice and Bob are friends in Facebook. Alice decides to add a new application, called App X, to her profile in Facebook. (For clarity’s sake, by “add”, I mean that she authorizes the application to see her profile. Examples of Facebook applications include Polls, Friend Wheel, Movies, etc.) At this point, App X can see information in Alice’s profile. App X can also see that Alice is friends with Bob; in fact, App X can see information in Bob’s profile. Bob can limit how much information about him is available to applications that his friends add to their profiles through the Application Privacy settings. In this case, let’s imaging that Bob has only allowed 3rd party applications to see his profile picture and profile status.

After a while, Alice tells Bob about App X. He thinks it sounds cool and adds it to his profile. At this point if App X, via Alice’s profile, looks at Bob’s profile it will see not only his profile picture and status but also his education history, hometown info, activities and movies. That is significantly more than what he authorized in his Application privacy settings. What is going here?

It appears what’s going on is that if Alice and Bob both have authorized the same application, that application no longer respects either user’s Application Privacy settings. Instead, it respects the Profile Privacy settings of each person. In essence, App X acts (from a privacy settings point of view) as if it were a friend of Alice and Bob and not a third-party application.

Putting my privacy commissioner hat for a moment, I’d want to analyze this situation from a consent and disclosure perspective. When Bob confirms his friendship with Alice he is, in a sense, opting in to a relationship with her. This opt-in indicates that he is willing to disclose certain information to Alice. Bob can control what information is disclosed to Alice through his Profile Privacy settings and this allows him to mitigate privacy concerns he has in terms of his relationship with Alice.

What Bob isn’t consenting to (and is not opting in to) is a relationship with Alice’s applications. Bob is completely unaware of which applications Alice currently has or will have in the future. This is an asymmetry of relationship. It is entirely possible that Alice and Bob will have applications in common and once they do the amount of profile information disclosed (by both of them) to an application can radically change and change without notice to either Alice or Bob. Furthermore, it is unclear which Facebook privacy settings Bob needs to manipulate to control what Alice’s applications can learn about him.

This lack of clarity is harmful. It shouldn’t take a few hundred lines of PHP, three debuggers, and an engineering degree to figure out how privacy controls work. This lack of clarity robs Facebook users of the opportunity to make meaningful and informed choices about their privacy.

This experiment started after I read the Canadian Privacy Commissioner’s report of findings on privacy complaints brought against Facebook. This report raised significant concerns about third-party applications and their access to profile information.

As of the beginning of Catalyst (today!), Facebook has about 15 days remaining to respond to the Canadian Privacy Commissioner’s office, I hope that this issue about third party applications and privacy controls is meaningfully addressed in Facebook’s response.

(Cross-posted with Burton Group’s Identity Blog.)

Section 4 of the report is, for me, where the action is at. Section 4 is concerned with 3rd party application in Facebook and use of personal data by those applications. As the Facebook platform grows with new additions like Facebook Connect, issues of third-party access to user information will continue to be a concern to those who pay attention to such things. There’s a challenge here as the ways in which 3rd party applications use user information is hard to decipher, as it is, from an end-user perspective, a fairly black-box operation.

I wonder if Facebook could build a personal privacy impact assessment (PPIA) app. The PPIA would analyze the action you are about to take on Facebook, your privacy settings, the 3rd party apps you’ve allows access to your profile, and the privacy settings you have set for those apps. The PPIA could give you a quick read on which applications would be privy to the action you are about to do. It could indicate which groups of friends (based on your privacy settings) would see what you are about to do. Essentially, it would let you see across how much of your social graph a certain action (like posting a link or photo) will travel.

We all have PPIAs built in – one that is cultivated through social interactions schooled by social norms. When it comes to dealing with large systems, like Facebook, big business, or the government for that matter, we all can use a little help.  I wonder if someone can get a PPIA prototype up ahead of Catalyst to at least give me a warning about potentially embarrassing photos being posted somewhere…

(Cross posted from Burton Group’s Identity Blog.)

From what I’ve seen I’d say that enterprises have achieved the opposite kind of translucency with their identity management programs. Though enterprises have achieved some degree of process transparency by suffering through the pains of documenting, engineering, and re-engineering process, they haven’t been able to achieve data transparency. Identity information has yet to become readily available throughout the enterprise in ways that the business can take advantage of. Identity information (such as entitlements) has yet to achieve enterprise master-data status. Worse yet, the quality of identity data still lags behind the quality of identity-related processes in the enterprise.

For those of you attending the Advanced Role Management workshop at Catalyst this year, you’ll hear me and Kevin present the findings from our recent roles research. Throughout our interviews we heard identity teams discuss their struggles with data management and data quality. Finding authoritative sources of information, relying on self-certified entitlement information, and decoding arcane resource codes were just some of the struggles we heard.  No one said that identity data transparency was easy, but without it enterprises can only achieve identity translucency and not true transparency.

(Cross-posted from Burton Group’s Identity Blog.)

Regulators have levied the maximum fine, $250,000, for the recent incident involving Nadya “Octomom” Suleman.  (Kevin commented on this previously.)  All in all, 23 individuals looked at Ms. Suleman’s records without authorization. Of these, 15 have either been fired or resigned.  And although the state regulators have fined Kaiser, they have yet to penalize any of these 23 individuals – which they can do under state law.

As reported in the LA Times, Suleman’s lawyer said:

“I think Kaiser handled it professionally. They found out, they terminated the employees, they brought it to our attention. They certainly didn’t try to hide it.“

It’s important to note that even though Kaiser acted appropriately, laws like SB 541 are clear cut: unauthorized access to medical information =  fine. Do not pass Go; do not collect $200.

As we’ve said before privacy risks are real. The fines are increasing. The number of regulations is increasing. Now more than ever is the time to register for this year’s Catalyst conference so you can attend our Privacy Risks Get Real track and learn how to reduce the chance your organization will become the next “first.”

(Cross posted from Burton Group’s Identity blog.)

And here’s a second bonus: we are making it easier than ever for you privacy professionals out there who haven’t attended a Catalyst before to attend this year. By registering with promo code IAPP, you’ll be able to attend the conference at $300 off the Early Bird rate.  See you in July!

(Cross-posted from Burton Group’s Identity blog.)

I’ve learned that it is generally frowned upon to use the second person in our reports – too informal I am told.  Use the blog if you want to address the audience directly.  Normally, I don’t have a problem avoiding the second person, but this report proved to be a challenge.  We had to work hard not to write without using “you.”  And why was that? Privacy discussions are and must be inclusive.  They involve each of us on a far more personal level than a discussion of, say, account lifecycle management.   Cognizant of privacy implications or not, the decisions you make on a daily basis have effects the privacy of your customers and partners.

Because privacy is personal, because it requires concerted behavior throughout the enterprise, discussions about privacy must include everyone.  You.  Me.  Everyone. To guide concerted behavior, in our recently released privacy report, we put forth a Golden Rule as a means of developing and evaluating privacy principles leadings to practices and behaviors:

This report is by no means the end of our exploration of privacy – it is just the beginning.  We will continuing the conversation this July, at Catalyst North America, in the “Privacy Risks Get Real” track.  We are working hard to ensure that these discussions reflect the inclusive nature of privacy.  We’ll be exploring privacy concerns across multiple domains: from healthcare to higher education.  Finally, to sweeten the deal, we have worked with the International Association of Privacy Professionals to get some of the tracks at Catalyst approved for Continuing Privacy Education credits.  We are looking forward to continuing the privacy conversations with all of you this July!

Speaking of Catalyst, we have special surprise for IdPS blog readers… Since it is Easter egg hunting season, we’ve placed a couple of them on the Catalyst web site. The prize inside is a super discount code to attend Catalyst. To find the eggs, go to the conference web site and do this:

• Hover (but don’t click) over the “San Diego” icon for 20 seconds

-or-

• Click and hold on the Catalyst logo and then drag your mouse off and release

Register right away – this discount is limited to 50 users and could disappear at any time!

(Cross posted from the Identity Blog @ Burton Group.)

Here’s how it works in a nutshell.  Kevin (seasoned vet) and Ian (newbie) identify a bunch of organizations to talk to.  So far nothing out of the ordinary as compared to our other approaches to research.  That being said, the conversations we have with these organizations is very different from typical research techniques.  Instead of coming to the conversation with a fixed hypothesis that we want to prove out, we come to the conversation with nothing.  No leading questions.  No surveys.  No preconceptions.

In these conversations, we, the analysts, are newbs. We let the people that we are talking to teach us what is important to them about a subject, how they have approached a problem, what wisdom they’d like to share with others.  The analysts furiously take notes, listen, and try not to talk.  Having listened to as many people as we can, we bring the whole team together to find affinities among the statements, identify trends and common techniques, and evaluate the state of a market through the eyes of a customer.

Right now, Kevin and I are in the midst of a role management CR.  Although, we are far too early in the process to comment on what we’ve found, some of the anecdotes we have learned along the way are really fascinating.  Discussions about the needs of the business, efficiencies gained, and methodologies for conducting role analysis – all of these conversations have been grounded firmly in the realities of today’s economy as well as current state of identity management in the enterprise.  You’ll see some of the results of this beginner’s mind approach to analysis at Catalyst this summer.  In fact, the Catalyst workshop on Advanced Role Management is going to be a master-class of a sort, shaped by what Kevin and I learn during this CR process.

Stay tuned for more on our roles CR.  Towards the end of April, I’ll be updating you on how the process has faired.

(Cross-posted from Burton Group’s Identity Blog)