Privacy Issues for business in the new digital age
Marie Shroff (Privacy Commissioner)
This session started with a fizz and a whimper, I think based more on the usual audience for the Privacy Commission than the subject matter itself. I did enjoy the comics though 🙂
- Customers are starting to take an ACTUAL interest in their privacy (~80-90% are concerned or ‘very concerned’)
- Media starting to pick up on these stories as the articles drive interest
- Bigger companies are starting to see the moral and ethical necessity to adopt privacy
- Expectation of future tweaking suggestions for privacy act
- “Value your CIO as your would your CFOâ€
- Despite the cloud context, people are expecting the same flexibility and control over their data as when it was locally domicilled
The discussion that followed was interesting
Q: “Have there ACTUALLY been any penalties exacted against companies as a result of data breaches?”
A: Yes – TGX spent $250M to rectify a breach (included 12 months of monitoring for those who lost info – Ref: Article here)
(My feeling is $250M is pocket change and, honestly – this is not a deterrent for poor privacy)
 “Should there be an audit system in place where an independent comes in to see how privacy is being treated?” – Ernie Newman: “Independent Consultant”
While on the face of it this was a blatant attempt for a soundbite to give Ernie something he could take to future prospects, there was a papbable interest in the concept from the room.
While I have no issues with the fact that people are wanting some level of assurance over the privacy of their information I have a number of concerns about how the auditing would be performed and the results protrayed, as anyone who has worked in the industry for any length of time would know, there is a wide continuum of capability and integrity with audit functions, even when using so called ‘independent’ auditors to say I’m reluctant to trust an audit process to assure me of the actual reality of privacy processes would be putting it mildly.
Predictably, questions were asked about ‘Cloud Computing’, especially in the realm of data sovereignty and specifically “When should we limit the information flowing overseas” and “When submitting personal information to a corporate, how/can we we be assured this data is stored safely?”
The Office of the Privacy Commissioner is developing a code on cloud computing so, for those who feel they would have useful input into the discussion, I’d encourage you to get in contact with Marie Schroff and her team to see if you can be of assistance.
 Does privacy exist?
This opened an inevitable can of worms, and, in my view, the basic answer is no. When you have shared your personal information, even with your friends by way of their contact lists – you can assume that your information is, or will become ‘public’.
The more complex (but correct) answer is that it’s not really a question of privacy, but a question of control. People want (need) control over the data they share with government agencies, corporates and – in my opinion, with people.
The big issue is that of consolidation and mine-ability of personal data. In isolation, a geo-tagged photo of kids in a playground is innocuous in itself, and maybe a nice way to remember where that funky looking tree was located – but combined with tools like cree.py and your online persona where these photos (with their meta information) may be shared, these photos become a way of tracking movement, schedules and ultimately could lead to sufficient information to profile to a degree of certainty where the subject may be living, or visiting – even ahead of time.
Another example of this would be combining 4sq check-ins, geo tagged tweets, Facebook Places, Community GPS reporting, Google Latitude to give pattern based location predictability. Couple this with a purchasing loyalty program (coffee card, supermarket ‘VIP’ discount card) and banking records (EFTPOS is an audit trail of your life) and you have enough information to determine where someone will be at a given time and day, what they are likely to buy, and how much they are able to spend.
Fortunately, most of us just aren’t interesting enough for this level of consolidation of data* – especially since at least two of the components come from what we would hope to be independent and secure corporate datasets.
For a real world example of consolidated and mine-able personal data, check out this article or this one, from the researcher himself.
It’s difficult to have an expectation of privacy when you give away your information in exchange for services
Which is harsh, but true. This does not just apply to the decisions you make, but also those made on your behalf i.e.:
When a friend of yours, who holds all your personal contact information in their mobile phone contact list, accepts the terms of [a random app] downloaded from [mobilephone OS marketplace] and accepts the conditions to read contact lists. The reality is, (even if above the board,) this application now has permission, proxied by your friend, to view your contact details.
What happens to these details? Are they stored on an upstream host? How secure is the host? Virtually? Physically?
The root problem is, (normal) people do not know about the risks, or care, or are even interested enough to read what is presented. One of the attendees described this as “Clicking the “Whatever†button” as in: “Before you connect, be aware that we intend to…<yeah yeah, whatever [Click]>”
So for me, and others in the room – privacy then becomes about education of users, helping them understand the issues, appreciate the decisions they are making and the fact they are proxy for the privacy of others as well. Privacy Commons is one (partial) answer to this dilemma as is the “Personal Data Ecosystem Consortium”
*For those that think they are interesting enough, pretend that the movies are real, don your tinfoil hat – then go an watch “Echelon Conspiracy“