Everyday Life and the Expectation of Privacy
Coby Royer, Technical Product Manager for Symplified
Bob Blakley from The Burton Group recently posted a great response to Andrea DiMaio of Gartner Group regarding privacy.
There are lots of great viewpoints expressed in Bob’s blog and comments, but I’d like to raise a perspective on privacy that is not fully addressed.
I’ll start with an analogy - fortunately, my daughter is not yet old enough to drive but I’m sure this story is a reality for many of you.
You loan your car to your kid. You set an expectation-either explicitly (you may go to the mall with your friend but only you can drive and you may not go anywhere else) or implicitly (previously communication or rules and/or precedent about who can drive the vehicle).
The expectation is a shared understanding of what may be done with the vehicle.
You take on a calculated risk based on the nature of the act, your ability to “know” that the expectation is fulfilled (visibility), and to incentivise the fulfillment of that expectation (the incentive can be a carrot or a stick-and can arise from friends, family, or institutions in our society, e.g., law enforcement).
In short, I let the kid have the car and cross my fingers she is not letting her friend drive or going somewhere other than the mall.
Visibility is tough, although GPS and other technologies are helping these days. In a hypothetical world of complete trust, I can simply ask my daughter if she followed the expectation.
So why am I talking about loaning a car in an article about Privacy?
The answer is simple-privacy is a special case of trusting others with assets. In the world of privacy, the asset is information.
Instead of loaning her a car, suppose I am telling my doctor about a medical condition. I take a calculated risk (will my doctor tell others or post my name and condition on a web page?).
I believe we have a common expectation (thank you HIPAA for ensuring I receive a Privacy Statement.) and I know there are incentives to uphold the Privacy Statement.
(HIPAA does have teeth, right? Well, maybe: In a recent survey by Ponemon Institute, 80 percent of responding health care organizations had experienced at least one incident of lost or stolen electronic health information in the past year.)
Now, in the automobile analogy I set an expectation about the transference of the asset (you may not let any one else drive.) I didn’t say “you can only loan the car to someone you trust.”
In the case of my HIPAA Privacy Policy, there is a provision for transference-my medical information will be provided to my health insurance provider.
But not my employer. OK.
In short, my view is that this is all about setting and meeting expectations; his is as old as human discourse and is not based on technology.
But technology changes things-it both helps and hurts. And it could help a lot more than it is presently doing.
I haven’t said much about visibility so far.
Visibility is tricky: it’s nearly impossible to know if my daughter lets her friend drive and where she takes the car (well, until I get the photo radar speeding citation with friend Suzie driving nowhere near the mall.)
But visibility could be easy with information assets-metadata can be included to identify the source of an asset (and even the chain of transference if it has been passed along).
And privacy policies abound, so maybe we have enforceability to incentivise stewards of private information to abide by our expectations.
Maybe.
So to me, privacy is not black and white. I might trust low-risk information to others even when there is little visibility or privacy incentives.
I might set an expectation that transitive trust is OK-I not only trust my doctor with my medical history, I trust them to pass it along to others that are trusted and fall within the same parameters of our shared expectation.
In some cases I know litigation is a real incentive. In other cases, societal pressures may suffice (when I expect a social behavior and not an anti-social behavior as Bob would say).
And in many cases, the expectation is not fully articulated or precise-I expect that private information will be used to benefit me and not harm me.
One thing that is fascinating about today’s connected world is the ease of disseminating information. One post to a website can get millions of viewers. And information is freely replicated, unlike physical assets.
So we need to be extremely careful with our private information. And digital information can stick around a long, long, time. And it is readily searched. So in these ways the technology hurts privacy.
The first time someone sent me a “gift from Pennsylvania” on Facebook, I declined because of the warning that the Gift application can access all of my personal information.
And there is no transitive expectation of what that application will do with it. There was no privacy expectation period.
Even if there was, I don’t feel I have visibility (at least with the doctor’s office I can ask who my medical history was shared with.
And as far as incentives and enforceability are concerned, I don’t feel very protected on today’s social networking sites.
But, in the end, I have accepted (and sent) these kinds of gifts-based on one fact: my activities on Facebook are really pretty pedestrian.
I have yet to rush home from the doctor after being diagnosed with an embarrassing condition to post it on my Facebook wall.
Check out Ian Glazer’s blog about the Facebook issue and PPIA.
So as we further our privacy interests as a collective community of advocates, let’s continue to ask about expectations, how they are asserted, communicated, and agreed; how privacy infractions can be made visible, and what economic, legal, social, and moral incentives we can cultivate.
Regardless of what you feel should or should not be private, we all have a right to set expectations that we trust will be met.
And as technologists, we have the capability to improve the state of privacy in the face of technological advances that might otherwise undermine it.
Privacy is not an Illusion, it is a challenge.
* * *
Stay Informed With ISR News Alerts:
* * *
Coby Royer has over 20 years technology experience in software and security startups, consulting, and large enterprises. He has served roles in software development, enterprise architecture, and management, in lines of business that include Internet security, commercial software, financial services, consumer goods, e-commerce, and expert systems. He holds a number of patents in security and e-commerce. Coby serves as Technical Product Manager at Symplified, Inc.
Symplified, Inc. is a unified access management system purposely built for the cloud architectures of SaaS. Symplified integrates your existing IT infrastructure with the cloud, streamlining management, reducing costs and improving security. Symplified was designed to address your on-premise access management needs as well. Build secure portals with personalized access for your workforce, customers and partners. Symplified offers a complete, enterprise-class Web Access Management (WAM) infrastructure that rivals the capabilities of expensive, 1st generation products but without the frustrations and limitations of heavy monolithic software.
The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
Complimentary Whitepaper:
How SaaS Cuts The High Costs of Web Access and SSO By 80% with On Demand Identity
This whitepaper explains:
- How identity services eliminates all capital outlays for hardware, software and infrastructure, expenses for support and staffing
- You can reduce the costs of training and integration to reduce identity lifecycle costs by more than 80% from enterprise identity software
Filed under: Breach, Cloud computing, Coby Royer, D&O Liability, FEATURE ARTICLE, Financial, Sarbanes-Oxley, Symplified, Uncategorized, due diligence, hackers, malware, virtualization
Comments
2 Comments on Everyday Life and the Expectation of Privacy
-
uberVU - social comments on
Tue, 3rd Nov 2009 1:00 pm
-
Michael Bacon on
Wed, 4th Nov 2009 8:58 am
Social comments and analytics for this post…
This post was mentioned on Twitter by securitypro2009: Everyday Life and the Expectation of Privacy : Information … http://bit.ly/2Piujs...
A very interesting article, for which many thanks.
I comment that expectations of privacy vary, and society’s recognition of these changes over time … although this also varies from culture to culture and age groups. Even the court-upheld “right” to privacy is a variable.
For example, on the one hand, “celebrities” asiduously promote themselves and provide titilating snippets of their lives to the media, on the other they seek and often obtain injunctions against the publication of “private” photographs … usually when these show them in a less-than-flattering light. In the UK “Contactpoint”, a new database storing the personal details of all children has been criticised for potential vulnerabilities. Despite government denials of security weaknesses, access to the details of children of “celebrities” will be limited and more strictly policed.
In Victorian England, the sight of a lady’s ankle was held to be so sexually inflamatory to the male that even piano legs were covered. Fast-forward to the 1960s and the mini-skirt left little to the imagination. In less than 100 years we have moved from the concept of pregant ladies being “in confinement” to the front page celebration of the naked pregnant form and breast-feeding in public.
Politicians are an interesting topic when it comes to privacy. In the USA someone running for public office must expect that their lives past and present will be raked over thoroughly by the media (in passing, it surprises me how many have skeletons in their cupboards that they erroneously believe will not be uncovered … or that they think they can “spin” or even buy away). In the UK they appear more adept at avoiding intense scrutiny (the MPs’ expenses issue notwithstanding). To tortuously misquote George Bernard Shaw, “Two cultures separated by the privacy of the ‘political class’.”
Certainly there are areas where the expectation of privacy is maintained. For example, one does not expect CCTV in toilet facilities … but they are beginning to turn up in store changing-rooms as an anti-theft measure. The latest “whole body scanning” devices being tested at airports show the passenger’s body in greater detail than many will be comfortable with. Nevertheless, they will likely become an everyday part of travel.
Our privacy is eroded by the state and business and given away by ourselves (vis. social networking sites). In July 2009, Sir John Sawers the then future head of Britain’s Secret Intelligence Service MI6 was “outed” on Facebook by his wife.
In the electronic domain, the Information Commissioner in the UK has expressed the view that it is preferable to control employees’ access to websites rather than monitor what sites they access and what they transact with those sites. This seems to me to be a sensible approach. Nevertheless, there are many bosses who would like detail of their staff’s use of the Internet, including these details. A risk assessment is advised before monitoring begins, but few companies follow this good guidance.
Good intentions, initiatives, self-regulation and legislation have all tried to address this issue of privacy. None have been successful in stemming its erosion. There appears always to be some “greater need” that drives down the level of acceptability.
We might see a resurgence in privacy, even a return to covering the well-turned legs of pianos, but somehow I doubt it. The more we lose, the easier it becomes to take or give away the remainder. I fear that we are heading towards privacy-poverty, where the rich and (in)famous can pay (or be entitled) to retain their privacy, whilst everyone else will be denied that “luxury” by either market forces or government decree, or, most commonly and frighteningly, simply apathy.
[The views and opinions expressed above are exclusively those of the author speaking in a private capacity.]
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
