International Privacy Day: Synchronicity

Today is International Privacy Day (and also National Data Privacy Day here in the USA and maybe where you are too).  The day is set aside to celebrate the anniversary of the Council of Europe Convention on Data Protection.  Put on your reading list for today both the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data as well as the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

 It’s also, felicitously, the end of the quarter for us here Burton Group, which means that we are trying to wrap up the final edits of our reports and send them off for peer review.  This quarter Bob Blakley and I have been researching privacy.  We’ve talked to a variety of different kinds of companies of all sizes in many industries, and we’ve come away with a lot of lessons.

 Two of these lessons are that privacy is deeply contextual, and that this contextual nature prevents privacy from being easily defined.  Without a strict definition, though, how does an enterprise privacy team proceed?  Can you write policies concerning something which means one thing in one setting and something different in another?  It turns out, we think, that you can.


 I practice martial arts.  Every martial art has a set of principles.  Though these principles may differ, their use is the same.  Principles guide practice.  You practice your art in multiple contexts to prepare you for whatever may come.  In each of those contextualized situations, your principles guide your response.  (Synchronicity moment number one).

 My friend Julie is one of the most amazing corporate and brand marketers I have ever met.  She uses a simple approach in building overall market strategies and brands: identify true corporate values (principles), then let those values lead you to tangible market strategies.  Corporate values guide the formation of market strategies.  (Synchronicity moment number two).

 In our forthcoming report, Bob and I examine sets of privacy principles, but we also look at the ways in which these principles can drive real practice.  We discuss the characteristics and activities of effective privacy teams, too.  In building our report, Bob and I used (self-referentially) this method of letting principles drive practice. We built the report by starting with what we are referring to as Burton Group’s “Golden Rule of Privacy” and let the Golden Rule guide our writing.  You’ll have to wait a bit for the full report (unless you want to be a pre-publication reviewer, in which case please drop me a line!), but I’ll share the Golden Rule with you now:

We protect privacy when we consider the dignity of individuals about whom we know things, and when we use what we know about them only in ways which preserves and enhances that dignity.

 Happy International Privacy Day!  And for those of you attending the IAPP’s Privacy After Hours event tonight in Washington DC, I’ll see you there.

(Cross-posted from Burton Group’s Identity blog.)

Stripping Search

In response to regulatory pressure and to apply some pressure on their competition, Yahoo has announced that after 90 days it will anonymize search queries and remove personally identifiable information (PII) from them as well.  Specifically, Yahoo will delete the last eight bits from the IP address associate with a search.  Further, Yahoo will remove some PII data, like names, phone numbers and Social Security numbers from the searches.  The goal is to (eventually) destroy the ties between a person and what that person searches for which could include embarrassing, compromising, or sensitive items such as information about medical conditions, political opposition materials, adult entertainment, etc.

There are two points I want to draw you attention to.  The first point is related to the amount of time search providers, like Yahoo, hold identifiable search queries.  Regulators have recommended to search vendors to reduce how long they hold identifiable searches.  The EU has recommended 6 months, for example.  Yahoo, reducing their retention time from 13 months, has taken a laudable step to reduce that time to 90 days.

In the future, the time it takes a search provider to extract whatever goodness it wants to out of a search query (to feed its varied businesses) and anonymize that query will reach zero.  External pressures aside, the Googles and Yahoos of the world will achieve near-instantaneous goodness-extraction/anonymization of search queries simply because it reduces what they have to store, maintain, and worry about.  That being said, even though search providers will be able to achieve near-instantaneous extraction and anonymization, they will never be able to put it into practice.  Why?  Because there will always be a desire on the part of law enforcement to gain access to those identifiable searches. Continue reading Stripping Search

Trip report from the Privacy Symposium

This is a cross-post from Burton Group’s Identity Blog.

BTW, I am moderating a panel at Defrag. If you use “ig1” as a registration code, you get $200 off the registration fee. Hope to see you there!

A few weeks ago I was up in Cambridge at the Privacy Summer Symposium.  Gathered together on Harvard’s campus were a collection of lawyers, activists, government officials, and privacy officers discussing various aspects of privacy.  It was certainly a bit of a change for me to be in a non-tech heavy conference.  Besides hearing people like the chairman of the FTC, William Kovacic, speak, I got to witness the launch of EPIC’s Privacy ’08 campaign.  Further, I got to hear Jeffery Rosen share his thoughts on potential privacy “Chernobyls,” events and trends that will fundamentally alter our privacy in the next 3 to 10 years.

Privacy Chernobyl #1 – Targeted Ads

We’ve already seen enough concern over targeted ads to trigger Congressional hearings.  The Energy and Commerce Committee in the House has been asking ISPs and advertising providers to answer questions as to how they track and use clickstream data. Not be left out, the EU has notified the UK that it must respond to an inquiry whether the Phorm system violated EU data privacy laws.  From NebuAd to Phorm to DoubleClick and beyond, targeted ads are getting more and more targeted.  The real concern for Rosen is the downstream use of the collected clickstream data.  For example, my ISP may not directly do anything overly odious with the information about which sites I visit, but if they sell that information, the 2nd and 3rd generation data users may bit a more nefarious.

Privacy Chernobyl #2 – Personally identifiable search term leak

The knowledge of who I am and what I search for can be used in a variety of ways: from serving voyeuristic desires to putting me in a compromising situation.  Without being able to provide the context for the searches, I could be judged by a people like a potential employer, dating service, or insurance provider unfairly, and these judgments can have a real impact on my life.  As YouTube has to disclose data for its court case, I have to imagine there are some people who really don’t want identifiable searches being disclosed into the public record.  As more and more of our web browsing is search driven, the potential impact of this problem will only grow.

Privacy Chernobyl #3 – Unexpected data exposure on Facebook

There are two concerns to this issue.  The first concern is one that Rosen categorized as data exposure in unexpected ways.  I may have tailored my Facebook profile’s privacy settings to what I think strikes a decent balance between my desire to connect to people and maintaining some level of privacy.  But what is unclear is how Facebook application developers are using my data, including clickstream data.  I don’t expect to hear a friend tell me that I “friended” a product whose ad appeared in Facebook for her, and I certainly never want to hear that this has happened.

Continue reading Trip report from the Privacy Symposium

Privacy in Transition – No Kidding

I am headed up to Harvard this evening to attend the Privacy Symposium.  I am very much looking forward to this industrial-strength dose of privacy discussions.  This will also be a bit different for me as the majority of speakers are lawyers.  Usually, I sit in conferences listening to techies and the occasional auditor.  The Privacy Symposium speaker list is lawyer and professor heavy with a few representations from the tech world.  It ought to be a nice change.

The subtitle of this Privacy Symposium is “Privacy in Transition.”  Well timed.  I look around my neighborhood and my city and I can practically see those transitions in real time.  I’ve talked about the security cameras in my neighborhood before.  This weekend, the Washington Post reports that DC is planning on sing license plate readers to “fight terrorism.”  Find stolen cars – sure.  Find Osama bin laden – not so much.  The District has got to release data retention plans for this data quickly.  For now, the word is that this data will not be retained.  The systems checks plates against “Federal databases” and looks for matches.  (How long until we have a No-Fly list equivalent of license plates?)  I have to imagine that the data retention policy will change very quickly.  How long until third parties get access to this data?  I can see the District using the revenue it makes from selling access to this data to divorce lawyers to pay for school repairs.

At any rate, I’ll be in Cambridge this week mulling some of these ideas over hearing more on matters like these.  See you there.