Also, I am thinking of building a new version of Privacy Mirror to use the graph API. Any one have feature requests?

Privacy has moved beyond the compliance officer and is receiving better representation in business operations. Example of this include an increased presence of privacy practices in

• project and software development lifecycles
• procurement and contracting processes especially with respect to procurement 3^rd party services

In some sense this has given privacy, and its closely aligned peer – data protection, more of an outward appearance of risk management than compliance. This is evidence of privacy’s maturation.

But as privacy matures, as privacy is seen for its risk management capabilities, as privacy gets more engrained in business operations, better metrics relating to privacy are needed.

I sat in one session in which privacy professionals talked about the challenges of building dashboards to display privacy metrics. Few could point to meaningful dashboards that they had built. Fewer still felt they had a clear handle on what kinds of questions they should be answering and how they should measure to do so. This challenge relating to measuring privacy lines up with recent research I published on policy governance.

As demonstrated by the size of this year’s Privacy Summit, it is clear to see the privacy profession is growing. The questions and nuanced challenges privacy professionals raised during the week are further evidence of privacy’s maturation. Privacy professionals are searching for more metric-driven ways to represent their efforts and programs especially as they work with their business partners. The results of this search for more tangible things to measure is part of the growing pains of privacy that the industry must endure.

Questions that I’d like to see answered are:

• How many crimes were not committed because of the presence of a CCTV camera?
• How many crimes were committed in a different location because of the presence of a CCTV camera?

The first question is impossible to answer. The second can be answered and a UC Berkeley study of the city San Francisco’s CCTV camera efficacy has been released. You can ready about the results here and here. The San Francisco study shows the cameras move crime from areas near cameras to areas away from cameras – no big surprise there.

As I have mentioned previously on Tuesdaynight, trading the feeling of safety (without an actual increase in safety) for an invasive, always-on, 3rd-party-accessible video monitoring presence is a choice that leads to a far more paranoid society, less willing to engage in social behavior and less like the kinds of societies in which we want to participate.

Imagine that Alice and Bob are friends in Facebook. Alice decides to add a new application, called App X, to her profile in Facebook. (For clarity’s sake, by “add”, I mean that she authorizes the application to see her profile. Examples of Facebook applications include Polls, Friend Wheel, Movies, etc.) At this point, App X can see information in Alice’s profile. App X can also see that Alice is friends with Bob; in fact, App X can see information in Bob’s profile. Bob can limit how much information about him is available to applications that his friends add to their profiles through the Application Privacy settings. In this case, let’s imaging that Bob has only allowed 3rd party applications to see his profile picture and profile status.

After a while, Alice tells Bob about App X. He thinks it sounds cool and adds it to his profile. At this point if App X, via Alice’s profile, looks at Bob’s profile it will see not only his profile picture and status but also his education history, hometown info, activities and movies. That is significantly more than what he authorized in his Application privacy settings. What is going here?

It appears what’s going on is that if Alice and Bob both have authorized the same application, that application no longer respects either user’s Application Privacy settings. Instead, it respects the Profile Privacy settings of each person. In essence, App X acts (from a privacy settings point of view) as if it were a friend of Alice and Bob and not a third-party application.

Putting my privacy commissioner hat for a moment, I’d want to analyze this situation from a consent and disclosure perspective. When Bob confirms his friendship with Alice he is, in a sense, opting in to a relationship with her. This opt-in indicates that he is willing to disclose certain information to Alice. Bob can control what information is disclosed to Alice through his Profile Privacy settings and this allows him to mitigate privacy concerns he has in terms of his relationship with Alice.

What Bob isn’t consenting to (and is not opting in to) is a relationship with Alice’s applications. Bob is completely unaware of which applications Alice currently has or will have in the future. This is an asymmetry of relationship. It is entirely possible that Alice and Bob will have applications in common and once they do the amount of profile information disclosed (by both of them) to an application can radically change and change without notice to either Alice or Bob. Furthermore, it is unclear which Facebook privacy settings Bob needs to manipulate to control what Alice’s applications can learn about him.

This lack of clarity is harmful. It shouldn’t take a few hundred lines of PHP, three debuggers, and an engineering degree to figure out how privacy controls work. This lack of clarity robs Facebook users of the opportunity to make meaningful and informed choices about their privacy.

This experiment started after I read the Canadian Privacy Commissioner’s report of findings on privacy complaints brought against Facebook. This report raised significant concerns about third-party applications and their access to profile information.

As of the beginning of Catalyst (today!), Facebook has about 15 days remaining to respond to the Canadian Privacy Commissioner’s office, I hope that this issue about third party applications and privacy controls is meaningfully addressed in Facebook’s response.

(Cross-posted with Burton Group’s Identity Blog.)

I built a basic Facebook application called Privacy Mirror. The goal of Privacy Mirror was to see, as a 3^rd party developer, just what information I could glean from my profile via Facebook’s APIs. At first, I used two Facebook API calls:

• users.getStandardInfo
• users.getInfo

I wanted to call these APIs, see what data they returned, and that’s that. I had and have no interest in storing any of the data, and, in fact, Facebook deems most of the data I retrieved as unstorable according to their terms and conditions. For those of you who use Privacy Mirror I want to repeat, I do not store any of the information that is retrieved by the API calls.

Once I got comfortable pulling data out of my profile, I wanted to see how much information I could read from my friends’ profiles. This was especially interesting as none of them authorized Privacy Mirror and none of them knew about it. In essence, I wanted to see how much information a 3^rd party application developer to gather from my friends without their knowledge (and barely with mine.) To do this, I added one more API call – friends.get. This gave me a list of my friends, and then I called the above APIs to get their data.

Findings

Without their authorization of Privacy Mirror, I could profile information from all of my friends. I could see all of the profile information that they had allowed 3^rd party applications to view via the privacy settings in Facebook. For example, if you were my friend and you allowed 3^rd party applications to see your status, Privacy Mirror would show me your status. Now keep in mind, you haven’t authorized Privacy Mirror (i.e. you haven’t added it to your profile).

Cached Privacy Settings

Realizing that applications that my friends have authorized could (and likely do) retrieve information from my profile, I decided to change my Privacy Settings. I had enabled applications to see my profile picture, activities, and basic information. I disabled all of those, except for my profile picture. Rerunning Privacy Mirror – I could see my activities – which I had just explicitly removed form sharing with 3^rd parties. I deleted Privacy Mirror, logged out, waited a while, added it back, and low and behold, I could still see data elements that I instructed Facebook not to share. I have repeated this over the last few days with no change in output – Facebook is returning more information than my privacy settings allow. I have talked to other users of Privacy Mirror and they are reporting the same thing; this removes the objection that because I am the developer of the application there is some sort of special behavior going on.

Something is caching profile information and ignoring the privacy settings directives. There are two alternatives I can think of:

1. Facebook is caching
2. My application server is caching

I don’t believe that my application server is caching anything, but I’ll leave this open as a possibility. More likely, Facebook is caching information. This makes sense – there is a lot of infrastructure that FB has to truck my profile through. But if this true, then why are my privacy settings being ignored. For now – I have no answers, just more questions.

I’ll keep you posted as I learn more about what is going on. In the meantime, I hope you enjoy Privacy Mirror.

Secure Flight matches the name, date of birth and gender information for each passenger against government watch lists to:

• Identify known and suspected terrorists
• Prevent individuals on the No Fly List from boarding an aircraft
• Identify individuals on the Selectee List for enhanced screening
• Facilitate passenger air travel
• Protect individuals’ privacy

After matching passenger information against government watch lists, Secure Flight transmits the matching results back to aircraft operators.

Did you notice the extreme use of irony there? Secure Flight is used to “facilitate passenger air travel” and yet Secure Flight’s sole purpose is to keep people off of planes. (I think someone at the TSA doesn’t know what facilitate means.) Irony aside, Secure Flight is ignorant of (or at least tone-deaf to) the US’ strong social and legal tradition of freedom of movement.  Secure Flight can act as a preemptive refusal of air travel in the absence of due process, which contravenes citizens’ freedom of movement.

Let’s talk about Pierre-Simon Laplace for a second. The French mathematician and astronomer described “an intellect” so vast that it knew the location and momentum of every atom in the universe. With this knowledge, this intellect (latter dubbed Laplace’s Demon by biographers) could know the future. As he wrote:

We may regard the present state of the universe as the effect of its past and the cause of its future. An intellect which at a certain moment would know all forces that set nature in motion, and all positions of all items of which nature is composed, if this intellect were also vast enough to submit these data to analysis, it would embrace in a single formula the movements of the greatest bodies of the universe and those of the tiniest atom; for such an intellect nothing would be uncertain and the future just like the past would be present before its eyes.

So with two attributes, location and momentum, Laplace’s Demon can know the future. With gender and birthday (along with name), Secure Flight can know bad guys from good guys and keep them off a plane.

The problem is that neither work. Laplace’s Demon has been slain multiple times. Secure Flight and the No-Fly List have and will continue to suffer the same fate.

Nations (UK, Israel, the US) and Agencies (DHS), like malevolent Santa Clauses, are building multiple mother-of-all naughty-and-nice lists. Their slavish devotion to Laplace’s Demon fuels their hopes that by knowing everyone’s name (and other attributes) they somehow can predict (and in some cases, prevent) the future. Hubris and ignorance are the twin attributes of such plans and neither ought to have a place in the programs of civil societies.

Section 4 of the report is, for me, where the action is at. Section 4 is concerned with 3rd party application in Facebook and use of personal data by those applications. As the Facebook platform grows with new additions like Facebook Connect, issues of third-party access to user information will continue to be a concern to those who pay attention to such things. There’s a challenge here as the ways in which 3rd party applications use user information is hard to decipher, as it is, from an end-user perspective, a fairly black-box operation.

I wonder if Facebook could build a personal privacy impact assessment (PPIA) app. The PPIA would analyze the action you are about to take on Facebook, your privacy settings, the 3rd party apps you’ve allows access to your profile, and the privacy settings you have set for those apps. The PPIA could give you a quick read on which applications would be privy to the action you are about to do. It could indicate which groups of friends (based on your privacy settings) would see what you are about to do. Essentially, it would let you see across how much of your social graph a certain action (like posting a link or photo) will travel.

We all have PPIAs built in – one that is cultivated through social interactions schooled by social norms. When it comes to dealing with large systems, like Facebook, big business, or the government for that matter, we all can use a little help.  I wonder if someone can get a PPIA prototype up ahead of Catalyst to at least give me a warning about potentially embarrassing photos being posted somewhere…

(Cross posted from Burton Group’s Identity Blog.)

Regulators have levied the maximum fine, $250,000, for the recent incident involving Nadya “Octomom” Suleman.  (Kevin commented on this previously.)  All in all, 23 individuals looked at Ms. Suleman’s records without authorization. Of these, 15 have either been fired or resigned.  And although the state regulators have fined Kaiser, they have yet to penalize any of these 23 individuals – which they can do under state law.

As reported in the LA Times, Suleman’s lawyer said:

“I think Kaiser handled it professionally. They found out, they terminated the employees, they brought it to our attention. They certainly didn’t try to hide it.“

It’s important to note that even though Kaiser acted appropriately, laws like SB 541 are clear cut: unauthorized access to medical information =  fine. Do not pass Go; do not collect $200.

As we’ve said before privacy risks are real. The fines are increasing. The number of regulations is increasing. Now more than ever is the time to register for this year’s Catalyst conference so you can attend our Privacy Risks Get Real track and learn how to reduce the chance your organization will become the next “first.”

(Cross posted from Burton Group’s Identity blog.)

I’ve learned that it is generally frowned upon to use the second person in our reports – too informal I am told.  Use the blog if you want to address the audience directly.  Normally, I don’t have a problem avoiding the second person, but this report proved to be a challenge.  We had to work hard not to write without using “you.”  And why was that? Privacy discussions are and must be inclusive.  They involve each of us on a far more personal level than a discussion of, say, account lifecycle management.   Cognizant of privacy implications or not, the decisions you make on a daily basis have effects the privacy of your customers and partners.

Because privacy is personal, because it requires concerted behavior throughout the enterprise, discussions about privacy must include everyone.  You.  Me.  Everyone. To guide concerted behavior, in our recently released privacy report, we put forth a Golden Rule as a means of developing and evaluating privacy principles leadings to practices and behaviors:

This report is by no means the end of our exploration of privacy – it is just the beginning.  We will continuing the conversation this July, at Catalyst North America, in the “Privacy Risks Get Real” track.  We are working hard to ensure that these discussions reflect the inclusive nature of privacy.  We’ll be exploring privacy concerns across multiple domains: from healthcare to higher education.  Finally, to sweeten the deal, we have worked with the International Association of Privacy Professionals to get some of the tracks at Catalyst approved for Continuing Privacy Education credits.  We are looking forward to continuing the privacy conversations with all of you this July!

Speaking of Catalyst, we have special surprise for IdPS blog readers… Since it is Easter egg hunting season, we’ve placed a couple of them on the Catalyst web site. The prize inside is a super discount code to attend Catalyst. To find the eggs, go to the conference web site and do this:

• Hover (but don’t click) over the “San Diego” icon for 20 seconds

-or-

• Click and hold on the Catalyst logo and then drag your mouse off and release

Register right away – this discount is limited to 50 users and could disappear at any time!

(Cross posted from the Identity Blog @ Burton Group.)