January 30, 2014, Churchill Club, San Francisco—Fatemeh Khatibloo from Forrester Research moderated a panel that considered the issues facing data privacy. Panelists included Jeffery Rabkin from the office of the attorney general, California Department of Justice, Jeb Miller from Jafco Ventures, Barbara Lawler from Intuit, Michelle Dennedy from McAfee, and Chris Babel from Truste.
Khatibloo observed that the range of people on the panel is rare. She asked the panelists to introduce themselves and try to define privacy.
Rabkin started as a civil litigator, then moved to municipal law. Privacy has to be defined as an age-dependent issue, as the older people have different ideas than younger ones. This difference is cultural and is about being left alone and undisturbed. Privacy is the ability to be an individual.
Miller is a VC. He considers that privacy is the right to manage your own information, something that businesses have to respect.
Lawler started with HP in their privacy program and moved to Intuit. All of her work as been with business, technology, and data management. Privacy is a personal and is defined differently for each person. It includes the right to know of decisions about you and provides some autonomy in life.
Dennedy works with a child identity project as well as being chief privacy officer at McAffee. Her passion is to halt trafficking in kids. In her work in enterprise and in her personal life, she is trying to build privacy into her life, to keep data safe because there are real risks out there.
Babel worked with Verisign, then moved to TRUSTe. There is a difference between security and privacy, with privacy associated with the individual. Privacy concerns ar a function of demographics, age, and culture.
For individuals, the context is the biggest problem, as there is no common vocabulary for describing privacy?
Rabkin noted that regulators are facing a knowledge gap. There is a need to raise awareness and for people to increase their knowledge of the implications and change market perceptions.
Lawler commented that privacy is not the problem, but is an opportunity for businesses. The use of data and the analytics associated with big data are consistent with the expectations of most people and mostly are ethical and responsible. There is an obligation to define private data use, and the tendency to develop rules like data sets etc. that are contextual. The negative parts are to also define the benefits to the consumer to raise the company perceptions.
Change from cost center and risk mitigation to a benefit?
Dennedy suggested that it is ok to assign or find values in privacy. At the core should be at the enterprise level to get a platform of useable data. The legal issues are a cost center, but the business should have a clear idea of the requirements and be morally and ethically consistent. People will like the implementation if it is done right and will pay for value. If privacy is only a legal issue then it is a waste of time. Good-will based businesses will gain after their human capital in the company is satisfied. Companies need to delight the users.
Business value?
Miller offered that social media has changed many ideas of privacy. Facebook started with college students as a means to hook up with other students. Now their audience is maturing and the company is public. Their lack of a mobile strategy means that they cannot take it too far, and people need to be careful how they use the apps.
Dennedy noted that Facebook displaced Myspace and started their own privacy policies.
The idea of marketing and learning and understanding privacy?
Babel suggested that the market is trying to create trust to maximize the value of all data in a privacy-safe way. It starts with regulations, but probably not like the EU. Then the company has to figure out what to do with their brand. The legal issues include marketing the brand, and defining lines not to cross. Overall, the issue is to define what is ok for mobile versus PC and can be implemented by the IT team.
For example, some apps enable access to the full contact list on the device and have no encryption. This is not just the email list. You don't want a call from Jeff's office and the level of distrust that such an app generates will be hard to overcome. Privacy has to be a part of the basic design and implemented in the whole system.
Startup versus municipal?
Miller offered Facebook as an example of a very fast growing startup. It is consumer facing with a high potential for damage, and can get shut down if it is too "creepy". The questions for big data is how long to hold the data, sharing, and what data are constrained. Now IT departments are trying to contain the bring-your-own-device and its demand for more public data and sharing. What are users likely to do with the data.
Big data and wearables are the next generation of privacy issues?
Lawler responded that the interconnections of cloud, mobility, and the internet of things makes more devices affected. Now we have connected cars and appliances, and the latest hack is of a refrigerator. The issue of where we are going presents a challenge for privacy and big data. We are in a stage of data experimentation.
Now developers are making algorithms that start as open (source) and iterate. Developers have to consider privacy rules, promises, and user expectations. Connected devices, the internet of things, exponentially increases data. Most companies working on IoT are startups, and legislators don't know how to regulate this new area. Companies need to consider privacy and security in the early implementation stages.
Identity work?
Dennedy commented that identity management tools have to work with privacy to determine what to share. These tools have to be a periodic table of data to indicate what to move, manage, and dispose. In less than 20 years, we will have over 1B sensor nodes, which will exceed the existing sensors under IT control. As a result, data management needs to evolve. Systems will have to create synthetic metadata and change form a file-based management to a lifecycle-based structure. Big data and analytics will also have to become lifecycle based. Biometrics are not coming soon. There is a need to integrate into the lifecycle of data. The problem is still how to authenticate
Lawler added that mobile and cloud provide access anywhere, so identity should be cloud based too. Security, identity, and authentication all need management, since the cyber criminals are also big users of big data.
At the enterprise level, the IoT is constantly authenticating. What do people have to do to keep the IoT in-house safe?
Rabkin suggested law enforcement.
Miller mentioned that healthcare is driving fro more services and data, so both privacy and security are starting to be an issue.
Dennedy noted that the real world and data are merging. The new classes of devices need to be protected for health apps.
Lawler stated that the networks in this space are safe. Fitness devices and other health monitors are all one big network. The issue is how much effort is needed to secure all the devices. Companies and users will only do something if it is easy. Mobile privacy practices matter.
Consumers care about who is selling the products and the privacy, but don't want to get into the details. Users are task focused, and if the task at hand is considered more important than privacy, then privacy loses. Consumers need better understanding of the issues and have to think about what is so bad about targeting.
Babel considered the range of connections. Targeting is a part of the real world. Wifi can track a phone, even if GPS is disabled. Bluetooth can locate a device within 25 feet, and coupled with cameras can track an individual's motions. This camera system can assign individual tags to each person. Then when the user uses a credit card, the system generates yet another data point.
Some people like tracking, while others want to opt out. Some want the special offers while others want privacy. Soon everything will be tied together.
Paradox of privacy versus personalization?
Rabkin offered that targeting is dynamic, and some of the pricing offers are controversial.
Dennedy opined that the exciting thing about big data is the aggregate results may be good enough. Studies on behavior show that most guys turn right when entering a store. This allows the store to set up their displays based on this general behavior. Bulk data shows trends and allows for partial group personalization and dynamic pricing.
Miller allowed that the pressure on startups to consider that the consumer wants it drives to analytical overkill.
Intermediation and ad blockers are used by 27 percent of adults?
Dennedy offered that most ads are ugly and not interesting. Some users like ads when they are well designed. The next generation in more interested in the ads and tracking.
Lawler joined in that the ad design is a cognitive burden. Designers need to create ads that get notices and have to choose where to put them. The concepts get unwieldy. Global responses need trigger cues. Teens don't like push autoplay ads, but some groups like specific ads.
Need choice?
Miller declared that native ads (ads that look like commentary) help to expand, but crate a privacy issue. Advertisers are good at sneaking into your attention.
Dennedy added that this is also true for sponsored content.
What to do to protect?
Rabkin suggested that if you are already aware of the issues you are probably somewhat safe. More companies need to differentiate their privacy policies. Don't tell you 10-year old your passwords.
Lawler offered having a dedicated person to address privacy and data use in all companies. This person should speak to the customer point of view. Step away from the legalese and work for a simple and clear set of policies
Dennedy declared that everyone should call your mother to help, and also provide information to your church, community, and schools. Treat your passwords like panties, exotic and private. Developers need to have a student council to bounce ideas off of.
Babel stated that 4-5 years ago there were few choices, but now there are many. Use preferences available in the apps and dynamically determine when to use or not use those preferences. Companies have a greater degree of trust and brand if they have preferences, even if the consumers don't use those preferences. Consider that it will get out. The NSA, the most secretive organization in the US cannot keep things secret, so think about "how would you feel" and if it is creepy, then don't do it.
Big data and cloud. Google bought Nest. Implications and expectations?
Miller opined that Google will leverage the data and connections.
Babel stated that they will use their $3.2B investment to integrate into other Google offerings. In general, Google has been good at privacy changes and transparency by giving advance notice.
Consumers and electronic health records. Through Google and social media profiles there is too much sharing. Is there a distinction between choice and meaningful choice?
Rabkin responded that health information is exploding. As more information gets out, more people will opt out. There will be pressure to offer real choices.
Federated identity versus true trust?
Dennedy declared that the identity provider has to address the issues of business models and transactions.
Miller noted that Google wants to help, but need to figure out a way to monetize federation.
Lawler commented that a meaningful choice is important. The EU approach is not better.
Next generation issue is that they have no identity so have nothing to protect. All data is out there even though the tools to protect exist?
Dennedy reiterated that companies need a student council to address these issues. The next generation is starting to care, because they have things to hide. They are more nimble, but have no judgment. Young people are already segregating their various persona
Lawler opined that parents of teens think differently. There is a shift from me-centered to pick and choose and the young people are segregating through different settings for different peer groups. They are starting to sculpt their persona and contacts.
Social issues will shape mores in 15 years?
Lawler surmised that some standards will endure, such as dignity and respect
Rabkin enjoined that kids are getting more sophisticated, but companies still have to address the risks. The possibility for fault and not being careful remains, especially for kids under 13.
Value of identity and loss?
Dennedy responded increased penalties and fines. Changes in technology can address some of the issues.
Individual datum is not owned by any person, but the aggregate of data for a person translates to a full story of that person. Is this unfair for services versus story?
Dennedy responded that IP laws from the phone book era addressed the issue of art versus ownership. The IP bar has to address the new frontier in a personal identity economy
Rabkin considered the issue of ownership. One data ownership issue is the deprovisioning of a user-owned device when the company IT department has a need to disconnect that person from the company network. Who owns which data, and what about all of the private data on the mobile device?
Babel declared that companies need to test preferences. People will accept ads if paid and will engage with choice. They are starting to manage. So companies should reset preferences and let us know what you want.
The data are already out, it is a patch to manage. For example Google Glass, is it recording?
Miller observed that consumers like it.
Khatibloo added that ownership and data replication have difficult issues.
Lawler noted the challenges in legal, personal, and moral issues.
Dennedy declared that people make their own data, but others can observe you. Their judgments are based on various community comments and connections. Your reputation is a construct of all these inputs.