What Ever Happened to Privacy on the Internet? Part 2

Wednesday, February 23, 2011

Rafal Los


And now... part 2 of our conversation with Rebecca Herold on anonymity vs. privacy in today's online, social-media dominated world... (PART ONE HERE)



As a follow-on to that last thought …there really isn’t (that I’m aware of) a body of literature or (self-) regulation out there that defines where that line between tracking and enriching is – why?  Do we need a standards body to help define the line between tracking for the purpose of experience enrichment and application functionality, versus tracking for data-mining? Can this even be done... and if it is done - would it necessarily need to be a government body that could have enforcement capabilities?  Would the FTC be able to stop up here and create some rules around what constitutes tracking vs. "tracking"?


There are various discussions about such activities.  Various EU bodies have written about tracking technologies.  I’ve also seen discussions about this through various IEEE papers.  Also, I seem to recall the EFF, EPIC, Future of Privacy Forum and possibly even the  Israeli Law, Information and Technology Authority (“ILITA”) may have issued opinions.


Having an opinion is a good thing, unless no one cares – which I feel is the state of things today.  I think the EU is a little more concerned about privacy but some of that western greed we’ve got in spades over here is seeping into their thinking.  Unfortunately, greed tends to be an acceptable business model, and today’s business needs your private information to give you options you’ll make decisions on.  Exploiting people’s willingness to give up their privacy has become a viable business model – and it’s catching on.


It’s a matter of balance.  And right now the marketers and business leaders who see value in using personal information are much louder and more actively pursuing their exploitation of personal information than those who are trying to ensure privacy is addressed.  However, in the past year there have been many legal actions related to online tracking practices.  And the various privacy advocacy groups are certainly trying to bring the issues to the forefront of lawmakers’ attentions.


So, what technologies or platforms do you feel are particularly difficult when it comes to stripping away your privacy for a profit?  Sure we all pick on FaceBook and Google but there are others out there that are just as bad, or maybe even worse?


Oh, there are tons of such sites out there! Spokeo is notorious.  The Privacy Rights Clearinghouse has a long list: http://www.privacyrights.org/online-information-brokers-list.  Actually, regarding technologies and platforms, I have concerns about the unbridled bliss so many are having with Kindle and other types of e-Book readers.  The e-reader vendors collect a ton of information when signing up customers for those devices, and then they track all the articles and books loaded, along with the items browsed, dates, times, and other logged info.  Who gets access to all those logs?  They are marketing gold.  Plus, lawyers and law enforcement will love getting them also.  Then there are the GPS and location-aware technologies that are increasingly being used; that information is being shared with many more entities than those using them are aware of. I’ve also been leading the NIST CSWG Smart Grid privacy group for the past two years; we’ve identified a volume of concerns with those related new technologies.


What do you think it will take to get people to lift the rose-colored glasses from their eyes and realize what they’re giving away … or is this a lost cause in today’s modern society?


No, it’s not a lost cause; I’m not pessimistic.  But I am realistic.  Again, it comes down to making people more aware, in addition to establishing more regulations that require businesses and organizations to do more to protect all aspects of privacy.  There are many groups out there trying to make a difference, such as the Privacy Rights Clearinghouse, EPIC, EFF, and Future of Privacy Forum, just to name a few.  But we need to take a more direct approach and infiltrate the population in a more extensive manner with discussions of privacy throughout all daily activities.  I know I will sound like a broken record, but we need to incorporate information security and privacy into our education system, from the earliest years on, to be able to ingrain such thinking and considerations into our daily decision-making processes.


As a student of privacy …have you seen any particular legal decisions that simply make you want to give up hope?  I caught this one when someone suggested it to me, and it blew my mind (http://www.infolawgroup.com/2011/02/articles/lawsuit/il-appellate-court-no-duty-exists-to-safeguard-...)!


No, I’ve not seen anything that would cause such a fatalistic response. There is usually a contrasting decision for every poor decision.  Your example can be countered by several opposite judgments in California and other states.  The judges in these cases are often influenced by their own agendas; the interpretation of rights and laws cannot help but have some degree of subjectivity involved; they are only human, after all.

If those of us who want to advance understanding of privacy, and help to ensure privacy protections are built into all types of business activities and new technologies, keep at it, the old way of thinking by these types of courts will eventually fade away.

So maybe all isn't lost ...maybe there is even room for anonymity and privacy in a world where the 'customer experience' is king?  Obviously it will require additional thought and buy-in from the security and privacy offers in many of the organizations who are the worst offenders ...but at the end of the day I think the loudest cries should be coming from the consumer.  Stop giving up your personal data easily in exchange for trinkets and Internet gizmos ...it's just not worth it.  Understand the value of your privacy, and don't sign up for programs that don't take your privacy seriously.

The decision is yours, consumer, and what happens with privacy on the Internet is largely up to you.

More on Rebecca Herald:

Rebecca Herold, “The Privacy Professor,”® is a leading information security, privacy, compliance and training consultant. Rebecca is currently listed, as in each of the past lists, among Computerworld’s top three Best Privacy Advisors in the world, and as a Top Influencer in IT Security by IT Security magazine. The proprietary security training exercise Rebecca created has won the CSI Information Security Program of the Year. Rebecca is also an Adjunct Professor for the Norwich University Master of Science in Information Assurance program. In addition, she currently leads the federal government's NIST Smart Grid privacy standards committee.  Through her company, Rebecca Herold & Associates, she provides information security, privacy, compliance and education services, including keynotes and speeches across industries.  

Rebecca created the content for Compliance Helper (compliancehelper.com), which provides complete documentation for a company’s information security and privacy management platform, meeting multiple regulatory compliance requirements and providing personal support. The Second edition of Rebecca’s highly-rated book, "Managing an Information Security and Privacy Awareness and Training Program" was recently published, and she is currently working on her fifteenth book. Rebecca has published over 200 industry articles, writes multiple monthly columns, and has done hundreds of interviews for news media.

Rebecca Herold is also a frequent contributor to Infosec Island.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Privacy Digital Identity Social Media Marketing internet
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.