PII 2011: Making Privacy Portable

November 15th, 2011
No comments

Larry Downes moderating panel with Chris Babel, TRUSTe, Jim Brock, PrivacyChoice, and Chris Kelly, Kelly Investments. Jim: PrivacyChoice’s mission is to make privacy easier: managing online, templates, partners & their APIs. We’re bootstrapped right now. Chris B: TRUSTe: privacy services have evolved into advertising, mobile and cloud spaces. Was non-profit but 2.5 years ago we went for-profit. Chris K: companies with data components of user behavior, concerns with venture model.

Larry: privacy was a cost (or risk) of doing business, now we’re looking at empowering users in a way that generates profits. Anecdotal experience in making privacy profitable, and what we learned? Jim: customers have been coming to us (on business side) with a compliance model, wanting to see uplift in their site with TRUSTe seal. Customers have concerns, their seal helps address that. Chris B: space between customer needs and marketing efforts. “Profile Choice” allows real-time bidding on aggregate-able info, didn’t find the right mix at that time. Chris K: misunderstandings between what companies are trying to do and what customers believe they’re doing. Using data for ad targeting within a company privacy policy. Beacon became Facebook Connect.

Larry: Beacon, and Google Buzz, had unsuccessful launch: unclear purpose (benefits), generating FTC complaints. Is there something about the launch of a product or service that makes it more dangerous or risky than other times? Jim: use of large datasets are prone to claims of changing the rules. If you’re working in areas that weren’t contemplated, that can be confusing, need to think about how to advance sharing practices. Navigating these waters is extraordinarily difficult. Jim: any future change may be viewed as a breach of privacy, unexpected changes (lack of or poor communications, offer choices, does company honor user choices, no accountability). Chris K: FTC, government isn’t in a good position to deal on this level but you don’t want to attract their attention.

Larry: sources of funding? Chris: question is no longer is privacy big enough, now it’s what are the top level matters? Investment community–advertising (every $ spent wants to be more targetted). Jim: process in ad targeting space, global, and how little is online: ad people are demanding more information about who’s receiving their ads.

Larry: about your not taking public investments? Jim: happy accident.

Chris K: Forensics for providing choice or for analytics/response: there are techniques, can take better control over this as web providers to help users. Data flow as arms business: companies that need to control what’s happening on their site or people who want to offer services to consumers. Chris B: targeted ads now more transparent. Balance against malware, cookies and their sources that feels more like security.

Larry: FTC’s interest in these issues, pending legislation in Congress–how does possibility of regulations affect climate for investment? Chris K: uncertainty is a cloud, straightforward means of regulation can move industry forward. But interim finger-pointing, lobbying gaming, are problems. Likes EU model, but we’re moving away from that. Chris B: gov is crowdsourcing communities, online advertising and ad space initiatives are trying to be more self-regulating. Still uncertain, industry groups and co-regulation being brought up and talked about. Chris K: Congress is a giant consumer of these targeting services. Behavioral targeting seems to be settling. Larry: what if a new regulation passes that takes a business model out or forces… Chris K: legislation takes time to effect.

Questions. Did people that saw the TRUSTe seal click on the seal or just go with it? Chris: clicks were low, most people recognize seal as an envelope.  What are people choosing? (site can collect, store, use for ad targeting, give to 3rd parties) Chris K: policy should say. We can’t make sure people read the policy. Do I have a right not to have data collected? Ends up as different perspectives from people vs industry, investment (collect data).

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

future, records, tools

PII 2011: Mapping the PII Market: Players, Regulators, Stakeholders

November 15th, 2011
No comments

Session with Terence Craig and Mary Ludloff, PatternBuilders. Terence: their book is Privacy and Big Data (O’Reilly).

Things have changed in privacy and personal information. PII-driven business models (later). Data collectors are the engine: giants like Google, Facebook, Twitter, also organizations and agencies like Florida DMV (sold data to LexisNexus), also mom & pop operations. What makes information valuable? Your health and wealth, the networking you do, the Internet of things (you). What role to the aggregators play: markets for buying and selling data. Uses are infinite: research, monitoring, predictive modeling, advertising…

PII-driven business models:

  • Platform plays (SAS, Hadoop, Revolution, Microsoft’s SharingInsight, CouchDB, etc.) – where everything is phoning home all the time.
  • Social plays: LinkedIn, Facebook, Google Plus and Foursquare, but mobile is not this change. Also KISSmetrics, Klout, Zinga, hootsuite, radian6.
  • Goverment plays: TSA and NSA, FBI, IRS, can buy from Facebook, Palantir (DOD).
  • Privacy plays: SafetyWeb, reputation.com, TRUSTe, Singly, also Intellilight (in Detroit, attached to street lights where if there are a couple of people are there it turns audio mike and calls police), Spokeo, Datong
  • Everyone plays: not just about advertising, many industries and business models benefit.

Implications for all PII players: privacy expectations, regulatory adherence (global), transparency (toward customers), crisis management. Privacy concerns are growing with consumers. Government is signalling that concern with new legislation. Companies must invest in this area, including training and certification.

Regulations: it’s confusing and will get more so. US: >30 federal states, >100 state regs for data security privacy. EU, pending legislation adds more. Bottom line; you’re going to need help here. Be transparent, be explicit about what you can’t provide. Use opt-in data options only.

Crisis management: when things to wrong, know how you are going to deal with them. Get a team and process in place. It’s about staying with the story if you can (used to be getting ahead of the story, now stay with). How to avoid a train wreck: be transparent, think global, be ready for breaches, behave as if you were worth your customers’ trust.

Question: opt-in: don’t short the short-term: be transparent. Opt in is a good way for customers to choose, is sticky.

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

future, history, records, tools

PII 2011: Social Sharing and the Data-Driven Economy

November 15th, 2011
No comments

On this panel: Kara Swisher, All Things D, moderates panel with Jim Adler, Chief Privacy Officer, Intellus, David Glazer, Director of Engineering at Google (Plus), Roger McNamee, musician and Elevation Partners, and Fred Wilson, Union Square Ventures.

Kara: We’ll be talking about implications of social sharing for business. Where is the business of social sharing? Fred: Facebook plus, FB is the largest platform but not the only. There will continue to be lots of important social platforms outside of FB. Roger: period of rapid adoption for first 2 years, FB has won the largest share. Cost of entry is high, social is everywhere. David: once things are that way they tend to stay that way? We didn’t name Google Plus “new, now, here” – two things we wanted to do: existing products could be done better, we saw a lot of our products would be better with baked-in sharing. Wanted to improve overall connected state. Jim: things swing from open to closed and back. Fred: top things include Tumblr, wouldn’t be in the picture but for… Mobile is really important. It’s not game over. FB is dominant but market is not devoid of opportunities. Roger: web as an app, number is going to 70% (of what?). Who is going to control the user experience? Things are not shipping on mobile. FB for many people is going to be the platform; connect then identity. Jim: we’re in the process of mapping humanity online. This is a big one. It really does a disservice to say it’s done. How are we mapping? What’s appropriate? rights? mapping social rituals. Of course there will be platforms, and we’re just getting started.

Kara: what are the key critical trends? Jim: we’re going through a new reality, reputation online, a 360 view. You can now reach across time/space. It takes a village, and we’re doing this one hut at a time, building intimate connections. David: I agree with mobile, always on. Shift to living in a world where we’re always on, leaking and sharing, what do we do with that? Kara; continuous partial attention? David: yes, how subconscious should we be? Shift to assuming the camera is always rolling. Jim: this is something we need to get use to. David: there are “many publics” (Kevin Marks said this first). Fred: Tablet is interesting. People are starting to build natively for tablets. More companies are coming to us where FB is the only login experience. This will accrue tremendous value to FB, that’s not really a good thing, especially for the developer (or the users!).

Kara: mobile platforms? Roger: Facebook and Yelp as mobile. Time to market. The thing that really scares me: we’ve lived in a world where people have not been honest with each other for too long. Income gap based on proprietary access to opportunities. Big corps (including telcos) are absolutely using our data. Jim: we’re moving through a threshold. FB is assumed to be public but it’s mostly private. (?) Social media has been like Lake Wobegone, was powerful but there’s going to be interesting consequences: what do people know about me? New product where people can know what we know about them. Too voyeuristic, not narcissistic enough.

Kara: what is sharing now? Fred: when you go out on Friday night, there’s a tremendous amount of sharing going on. Social media is doing the sort of the same thing. This morning was sad about Zucotti Park, human nature to want to share. My kids are much more aware of how to use the technology. David: the way my kids use “stalker” has become a casual term. Fred: I stalk my kids on FB every day, they know it. Jim: Kids know the difference between public and public/private spaces, they’re much more nuanced about how they approach the world. Fred: we’re doing this hire, looking at all of the social media resources of potential candidates. Next generation is using tools to make “resumes” more interesting.

Kara: If FB is the main stalking platform, what are the main business opportunities? Roger: social is today what “new media” is in 1987. My sense: new environment (half cell phones, half computers) is “hypernet” with totally different economic players. Running out of wireless bandwidth, need to replace infrastructure in cellular. Apple’s position is really unstable, capturing the value through hardware. HTML5 has opportunities to change the rules of the game. Safari gets 100% of development today, but notion of one company capturing all the value needs to change. Gigantic change wave of the hypernet, based on whitespace and digital TV spectrum. Instagram is fun but not important.

Kara to David: Google Plus? Tried to have a quiet debut. “We shipped plus, now we’re shipping the Google.” Two things we want to solve: one is how can we make YouTube, Blogger better by making it more social. Fred: Socialization of Google and mobile apps: eventually they’ll get it right but it’s crazy to think of it as a Facebook killer. Roger: maybe a Twitter killer, because they captured the “twitteratti” early on. Costs zero to add a Plus button. Jim: the big opportunity is what you can do with data. Focus on private data becoming public: more frictionless sharing. Understanding data is hugely disruptive. Use cases, danger is in inappropriate use. How do we use the public data to infer amazing things about each other?

Kara: Are you investing in data companies? Fred: we like to invest in platforms that have a lot of data and can use it to do things natively on the platform. We’re not investing in capturing data for 3rd party things. Kara: How do you look at Twitter? Fred: my favorite platform of all, but not as an investor–I connect to people there (@FredWilson has over 200K followers). It’s all public, everyone knows that.

Roger: two things that Apple did wrong: 1) fight with amazon over one-click, 2) if they get AppleTV right, all they have to do is in-app purchases back. Fire is not a great tablet. Fred: it’s a Kindle with the web on it. Roger: yeah. Nook is much cooler.

Questions.

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

friends/family, future, history, records, tools

PII 2011: Baking Privacy into the Business

November 15th, 2011
No comments

This session features Lauren Gelman, BlurryEdge Strategies, and Kevin Mahaffey, Lookout Mobile Security. Kevin says most powerful force in a company is security and privacy. However, no start-up starts with Chief Privacy Officer. Lookout uses a “New York Times test”: everything you’re doing can be published on front page, including how your product works. “Everyone complains about privacy policies, but the more you can communicate with users you can avoid a whole world of pain.”

Lauren: what if your device was stolen? You probably don’t want to notify the thief that the device is being tracked. What’s your threat model? Who’s looking for your data?

Kevin: you have a choice of encrypting data or password resets. There are constraints from many interests that will prevent you from doing what you want. Trust-e is doing some good work.

In mobile space, you have more options of notifying people. Different for platform vendors and mobile developers. For mobile developers, analytics and advertising libraries–the issue is that you’re using user data to determine value. Mobile breaks down in the types of data being collected, not disclosed properly in privacy policy. All SDKs collect lots of info, hashed (sometimes with improper salting, revocation). Inherent architecture in advertising is prone to surveillance-level collection. For example, advertising sometimes passes referrer info to track conversion rates, but is creating a “worse system around” the data. Kevin’s work is trying to make process more transparent.

Each platform makes decisions about how users are going to make decisions about their use of the device. Tremendous liability for companies that misuse customer data. Users are starting to weigh this as a decision point. Compliance is a smaller part of Lauren’s work–there’s a whole lot of unregulated stuff going on. She gives a company a “gut check” on what users would think of these practices, collecting location info and what’s reasonable notice, later translation into a document.

Compliance is not big for startups. The companies that succeed are likely to be those who handle privacy best in any new field.

Questions:

Server location and data protection: different countries treat data variably, what about later when data is valuable? This is a really hard problem, best answer is locate servers in countries with best policies (Kevin Marks suggests Iceland). Have policies that spell out requirements: what you have, retention, is there another alternative to what’s normal procedures, etc. Other extremes: all user data is going into cloud such as Amazon services. This is an adjustment for people. Who holds the key?

New changes to Facebook? It’s a decision to work with them or not. Lauren doesn’t believe that Facebook-like practices will happen again. Using FB Connect is a decision to facilitate user authentication.

What do you think about AWS services, 80 page Terms of Service that allows a very invasive data policy in Amazon’s favor? Lauren: a lot of people are trusting what Amazon’s going to do. I’ve read their TOS and I don’t know what Amazon’s going to do. Important to ask about notice, what kind of policies need to be ported from cloud hosts into your products/services.

Not in this session but related: I Shared What?!? – a service that shows you what information you’re sharing when you use Facebook or FB Connect.

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

future, history, records, tools

PII 2011: Implementing a Privacy Program

November 15th, 2011
No comments

This session is a “behind the scenes look at Micrsoft’s internal privacy program.” See the agenda for more information. Participants: Kim Howell, Reese Solberg, Michelle Bruno.

Kim Howell, (one of) Privacy Directors at Microsoft: When you’re doing a privacy review (practical, intuitive), you need to ask questions. Role playing with Reese as new company seeking a “privacy policy.” First questions (from our table discussions): what does site do, how do they collect info and what do they do with it? What’s their info flow path (is it resold?)? What’s their business model? How do you protect what you’ve collected? Controls by the individual (can visitors remove their data? remediation? transparency?)? Cookies? Other passive data collections? Countries involved (collection, use, storage)?

From Kim: Website: is this a new domain, link to privacy statement? existing privacy statement and does it match/make sure it covers everything? Data collection (see above). Send questions to new site/organization, get information, iterate. More questions: authentication, communication, vendors. Are people creating new accounts? use of email? data access requests? Vendors? Next round of questions: how well does IT + PR + Lawyers work together? Does privacy statement match the service? where’s plausible deniability? Make sure what’s required is clear, what’s optional. Provide better notice about use of information, data retention. Using HTTPS? How easy/obvious is it to obtain informed consent when signing up? Companies often think that writing a privacy statement at the last minute. (Wrong)

Next iteration: What new data is being collected? being sent where? other (new) features coming up? what info is shared? location: is it always being sent, or only in use when app is open? what other info (unique device ID, cell tower info, gender, etc.) is being sent with location data? data retention? If services changes, company may need to re-opt in application users. Privacy controls? (example of circulating the data within different departments of the company, “accounting department loves this data.”) Who needs access? for what use? access to raw data or aggregated statistics? Have data handlers been trained? Unique identifiers are not the only way of identifying a person. What’s intended use of collected data?

Michelle Bruno, Technical Privacy Manager: see printed case study (not online). Focus areas:

  1. Level setting: focus on use of customer data, customer expectations, opting out
  2. Author guidance: “how to” guides, privacy review checklist, company activities, data sharing, research and betas
  3. Position yourself: pro-business privacy message, culture of privacy as a value-add
  4. Piggyback: identify existing processes that you can take advantage of: spec templates, guidelines, bug tracking, testing, release management…
  5. Analyze and assess: comprehensive data-gathering plan to understand company’s risk
  6. Educate: pro-privacy contacts in each group to help succeed, spread work to peers about new process/resources
  7. Identify triage partners: incident handling, partnerships in legal, customer support, operations, PR
  8. Measure: what are your success metrics?

Questions: tension between user controls and corporate collections? Make sure value matches, is understood by both sides. Look at what business can put in place to allow better user controls. Microsoft has a federated privacy team, Kim’s team defines what compliance looks like.

Not mentioned in this panel but of some related interest (about Terms, not Privacy Policies): TOSAmend and EFF‘s TOSback.

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

future, history, records, tools

Switch to our mobile site