Shouldering Responsibility for Data Privacy
By Robert Lee Harris
Published February 2, 2015
All participants in the session recommended building trust with end users and, in order to avoid regulation, notifying them about how data is being used. While Zefo predicted that "enforcement will rain down on misuse, not collection," Enright said: "Listen to your users. Enable them to make their life better. Figure out the best way to get the best technology in the hands of consumers, in a way that protects them."
In another privacy session at the same conference, FTC Commissioner Maureen Ohlhausen offered a regulatory viewpoint, noting that she does not consider current regulations to be outdated or inapplicable. "If they [tech companies] made a promise they have to adhere to it. If they use information in way that can harm consumers, they can be liable."
To make her point, she mentioned several FTC citations, including one issued to Goldenshores Technologies for a Flashlight app that collected and shared location data. "Consumers would not expect location data to be
collected, and the company was not telling consumers. The basic consumer privacy law still applies."
Filiquarian Publishing likewise received an FTC citation for one of its apps. "The app offered social media information for rental and employment screening, and it violated the fair credit reporting act," Ohlhausen said.
She cautioned against too much granularity in the regulations themselves. "Business education is more effective than enforcement. There have been calls to use privacy concern as a factor in competition analysis. I don't support expanding competition analysis. When you start introducing non-competition factors, where do you stop?"
She also expressed concern about hindering the benefits that can be derived from traditionally restricted information such as health records. "I'm a big supporter of health IT and health apps, which are very useful for rural populations, the elderly, and the hard to serve, but it can be the most sensitive information. If consumer wants to share it, they should be allowed to. Once consumers make their choice, that choice should be respected. I would be concerned about foreclosing consumers from making that choice."
However, Ohlhausen did agree that there is a problem applying current rules in cases involving traditionally non-connected devices. "The Internet of Things does create tensions with Fair Information, which is based on notification. What about devices that do not need an interface? We are continuing to work our way through this. One of the things we are thinking about is a harm-based approach. What could someone do with that information to harm me?"
The End Users
Several years ago, I heard a CEO tell members of the company IT department that employees should be able to just "open up a laptop, and have it work within seconds" without concerns about passwords, virus scans, or anything that slows down the process. The IT security director boldly told him he found such a viewpoint "dangerous and discouraging," pointing out that it created a company culture in which information security was a low priority.
The CEO's comment illustrates the age-old conflict between security and convenience, as well as reflects how consumer expectations have worked their way into the corporate world. In both worlds, end users want a rich contextual experience that's plug and play.
Consumers have a "reactive response but not a good degree of awareness. It's not that they don't care, but they have a very low level of behavioral response," said Adam Gitlin, global managing director at Annalect, a data-driven marketing company, during a CES 2015 session, "Balancing Innovation and Privacy." He offered as an example consumer reaction following news of Edward Snowden's leaks about National Security Agency surveillance practices. Behavior temporarily changed, but within two months reverted to the previous level of security precautions, he said.
Impact on Enterprise IT
IT's response to this may be to create more automated security, but privacy and security are not one and the same. In reality, innovation could accomplish the CEO's plug-and-play vision, but the trade-off would be some loss of privacy. To establish trust with an end user automatically, a device needs to know something about that person, whether it is biometric data, location data, or something else. Context-based technology is even more demanding. As mobile expert Michael Finneran has pointed out in a recent No Jitter post, the low adoption rate of UC softphone clients on mobile devices is due to the inconvenience of managing multiple dialpad interfaces. A device could be designed to use the right interface based on your contact information, but it would have to know a lot more about where you are, who you are calling, and why.
As companies focus on big-data analytics and contextual experiences for their sales and customers, those developments inevitably will work their way into enterprise technology, with promising potential for collaboration, training, and even measuring employee satisfaction. Here resides the same potential for abuse, and abuse is not just measured by whether it is legal or not. The ultimate factor is the end user perception.
"Society's definitions of 'privacy' and 'freedom' will have changed so much by 2025 that today's meanings will no longer apply," wrote Nick Arnett, business intelligence expert and creator of Buzzmetrics, in a recent Pew Research report.
Maybe we will hit a tipping point where end users become tech savvy enough to demand better privacy practices, or maybe they will just get used to more personal information being shared. In the worst possible case, maybe they just won't know it is happening as their world becomes more connected.
"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communication technology professionals serving clients in all business sectors and government worldwide.
Looking into information privacy -- the trends, technology, regulations, and impact on end users and for enterprise IT.
As enterprises work to deliver better experiences for customers and make employees ever more mobile and collaborative, they're at the same time facilitating the creation of mountains of data, much of it personal in nature. Data privacy must be part of all conversations around next-generation enterprise communications and mobility.
The reason privacy has become such a priority is the sheer volume of data being collected. According to eMarketer, the average time adults spent online from 2010 to 2014 increased 75%. Even hour for hour, faster Internet speeds means access to more locations and makes online activity more convenient. On the back end, inexpensive large volume storage makes data collection almost a byproduct of work, recreational, and entertainment activities, unlike the days when IT had to dump server logs constantly to avoid storage issues.
By far the largest increase of online activity is driven by smartphones and tablets, which have outgrown their original mission. They used to be a subset of what could be done with a personal computer, a la the original BlackBerry devices. You would get your enterprise email and calendar, and read (but not efficiently edit) attachments. The BlackBerry's QWERTY keyboard was similar to a desktop keyboard.
The iPhone's capacitive touchscreen changed that model. The most practical benefit originally may have been to make more display room on a small screen, but by adding a touch sensor it created a brand new element. Now, almost every new mobile phone can listen to you; recognize your face and your fingerprint; and know where you are, how fast you're driving, and that it is being shaken or tilted -- and so on. Today's smartphones and tablets consequently add new elements to data collection.
Combining the capabilities of the sensors listed in the table below enables additional sensor capability in software, such as gesture, fingerprint, heart rate, and text recognition. Just as humans perceive activity or conditions in context by using more than one sensor, the same capability exists in mobile technology. Rob Gilmore, vice president of engineering at Qualcomm, gave a great example of this at the Society of Communications Technology Consultants (SCTC) conference last October in his keynote, "The Future of Mobile Technology." A device can use the accelerometer to determine it is moving quickly and a light sensor to determine that it is in pitch darkness. It could then decide that it is probably in a luggage container. The device could power down or turn off airline-restricted radios, for example.
The amount of data generated and analyzed by mobile infrastructure is "staggering," Gilmore said. "If all the sensors could be accessed from a common database, you could derive an enormous amount of information. ... there is a great need for privacy and security."
Mobile devices and this contextual capability are not limited to telephones and tablets. Examples exist in retail, energy, healthcare, personal health monitoring, consumer electronics, entertainment, and automotive. The Internet of Things (IoT) will rely on contextual awareness with other smart devices and even less smart devices equipped with RFID tags. The collection of data has become inevitable, and the tech industry focus has shifted to figuring out how to use the stockpile.
Some great things can be accomplished with big-data analytics and ubiquitous online access. In 2011, for example, Britain's Department of Health estimated that remote patient monitoring could result in a 45% reduction in the mortality rate (I assume not permanently). Facial recognition helps in criminal investigations. Retailers can deliver sales promotions customized to an individual's interests. The television could actually "know" that I am still employed and just home for a day off, and not show me endless workers' compensation and job training commercials!
On the other hand, if growth in data is organic and truly neutral, it is just as likely that not all uses of data will have the interests of the consumer/end user in mind. What if a company analyzes an individual's bill payment data and bombards him with predatory loan offers?
A company also could potentially withhold information, not because you've specified you don't want to see it, but because the company doesn't want to show it to you. For example, what if a health insurance company were to give customers a free fitness bracelet and health app subscription, and then use the data to avoid marketing information on products and renewals if the customer is measured as a high risk?
Finally, sheer carelessness with consumer data could create access into an individual's personal data in an unprecedented way simply due to the detail of data collected.
Privacy Lawyers and Regulators
Last September at the wireless conference CTIA 2014, the participants of a panel regarding the future of privacy all agreed that current privacy laws are not keeping up with technology. Keith Enright, senior privacy counsel at Google, emphasized how quickly technology is moving, saying: "Users are getting more sophisticated in ways you did not anticipate, and the global scale creates conflicting legal requirements. When you are launching something that has not existed before, there is not a binary right and wrong answer. Even in the same household there may be a different answer."
Karen Zacharia, chief privacy officer at Verizon, added, "Customers are not going to like this, but public policy cannot keep up with technology. Laws need to build on fair information practices, notice and choice."
New types of connected devices add to the problem, noted Ruby Zefo, Intel's chief privacy and security counsel. "The new wearables group is highly unregulated. You need to make sure people know what you are doing with their data," she said, while also predicting an "increase in privacy cops -- the FTC, FCC, state attorneys general, Congress, and international agencies are all interested in privacy."