Posts Tagged ‘identity management’

PII 2011: Owning Online Identity: Consumer-Managed Data

November 15th, 2011

Fatemeh Khatibloo, Forrester Research moderates panel with Jason Cavnar, Singly, Todd Cullen, Acxiom, Shane Green, Personal, and Mary Hodder, Personal Data Ecosystem Consortium.

Fatemeh: why do consumers care? Jason: consumers have a sense of things being out of control. Todd: clients desperately looking for meaningful way to interact with consumers. On supply side, it’s new territory. Huge demand on marketer’s side. Shane: at core, we realize that who has access to our data shapes our experience, access, opportunities. Value: there’s a blindspot about what data is worth in additional value exchange. The more you start to see the opportunities as tangible, the more value is obtainable. Mary: This event is at a good time. As users get stalked online, they become aware that something’s happening, don’t know what to do, start calling senators. Opportunity for alternative to Do Not Track legislation, market solutions.

Fatemeh: privacy audits, do they provide a false sense of security when the government starts to audit the big companies? Shane: follow the money: big money in top right corner of Facebook (strong tie to advertising). People are waking up in unexpected ways to see connections between dollars and sense. Survey in their marketing: difference between “stuff in the attic that might be sold” vs “spy or thief in my attic.”  Jason: general awareness, at consumer level it’s my data, Sand Hill Road and companies that make money monetizing personal data. He’d like to see Silicon Valley invest in this respect as better model. Mary: zooming out a bit, how this works revolves around incentives (shipping parties, 3rd parties) and how they’re structured, and how does that structure support the business model? Going back down to audits: they’re meant to inspire fear as provocation to do the right thing. But how to incentivize the parties to do the right thing from consumer’s perspective?

Fatemeh to Todd: privacy and audits, marketing disconnect, who do we talk with in these organizations to make a difference? Todd: I wish it were one person such as a data steward, but that’s really rare. Our data is traveling around the web, should be easy to capture it for free. As long as this disconnect persists among marketers, no incentive to contribute to solving “a problem.”

Jason: Infrastructure needs to be put in place. Shane: lots of teaching, CEOs don’t understand how they got in the Wall Street Journal for spying on people. Mary: we talk to folks in advertising and trade agencies, Salesforce and CRM companies, media buying entities… right now they’re heavy users of personal data online. Folks are getting on board, need to know what business model is and how to fix this. Jason: there’s an enterprise need for interoperability too. Business model will be around easy access to customer control of data.

Fatemeh: industries that will help propel this forward, who has the most to lose and the most to gain? Jason: it’s the #2 in every market. Mary: banking and finance, there’s a lot to gain, high value in helping with most basic functions (e.g., reconciling statements with Mint), documenting meta-data around trades of data. Shane: agree that #2, 3, 4 players have a lot to gain. This is really tough for big incumbents because of embedded complex systems. Too much friction getting access to certain kinds of data that could reinvent/innovate travel processes, for example. Smaller innovators can tool up faster. Todd: high tech firms are not traditionally big buyers of data. Drive to grow globally: lack of reputable suppliers.



future, records, tools , , , , , , , , ,

PII 2011: Personal Identity Management

November 15th, 2011
Comments Off

Forrester analyst Fatemeh Khatibloo asked if people had made available their report Making Leaders Successful Every Day. Report is available from Personal. She talks about car buying process as an example: start with personal RFP-type offer, receive offers that are customized to our concerns. Our interactions with dealers lead to purchase of a car. (Related: see ISWG’s Car Buying Engagement Model.)

Five key concepts that brands and companies need to do to engage:

  1. Respect my data, respect me
  2. Security of infrastructure, governance
  3. Transparency
  4. Data portability
  5. Economy, including penalties for bad behavior

Why is this coming? Consumers are fed up (breaches), but want relevance, convenience and value. Gigya study on single sign-on says many people use social sites for logins.

What should marketers & brands be thinking about: Rewrite your privacy policies to be understood. Create an organization-wide data governance policy. Install a data steward to liase between org and consumers (distinct from IT Privacy officer). Start working towards true data portability.

In future, Forrester is looking at redefining personal data, trust frameworks, how VCs look at this industry, etc.

records, tools , , , , , ,

PII 2011: Mapping the PII Market: Players, Regulators, Stakeholders

November 15th, 2011
Comments Off

Session with Terence Craig and Mary Ludloff, PatternBuilders. Terence: their book is Privacy and Big Data (O’Reilly).

Things have changed in privacy and personal information. PII-driven business models (later). Data collectors are the engine: giants like Google, Facebook, Twitter, also organizations and agencies like Florida DMV (sold data to LexisNexus), also mom & pop operations. What makes information valuable? Your health and wealth, the networking you do, the Internet of things (you). What role to the aggregators play: markets for buying and selling data. Uses are infinite: research, monitoring, predictive modeling, advertising…

PII-driven business models:

  • Platform plays (SAS, Hadoop, Revolution, Microsoft’s SharingInsight, CouchDB, etc.) – where everything is phoning home all the time.
  • Social plays: LinkedIn, Facebook, Google Plus and Foursquare, but mobile is not this change. Also KISSmetrics, Klout, Zinga, hootsuite, radian6.
  • Goverment plays: TSA and NSA, FBI, IRS, can buy from Facebook, Palantir (DOD).
  • Privacy plays: SafetyWeb,, TRUSTe, Singly, also Intellilight (in Detroit, attached to street lights where if there are a couple of people are there it turns audio mike and calls police), Spokeo, Datong
  • Everyone plays: not just about advertising, many industries and business models benefit.

Implications for all PII players: privacy expectations, regulatory adherence (global), transparency (toward customers), crisis management. Privacy concerns are growing with consumers. Government is signalling that concern with new legislation. Companies must invest in this area, including training and certification.

Regulations: it’s confusing and will get more so. US: >30 federal states, >100 state regs for data security privacy. EU, pending legislation adds more. Bottom line; you’re going to need help here. Be transparent, be explicit about what you can’t provide. Use opt-in data options only.

Crisis management: when things to wrong, know how you are going to deal with them. Get a team and process in place. It’s about staying with the story if you can (used to be getting ahead of the story, now stay with). How to avoid a train wreck: be transparent, think global, be ready for breaches, behave as if you were worth your customers’ trust.

Question: opt-in: don’t short the short-term: be transparent. Opt in is a good way for customers to choose, is sticky.

future, history, records, tools , , , , , , , , ,

PII 2011: Baking Privacy into the Business

November 15th, 2011
Comments Off

This session features Lauren Gelman, BlurryEdge Strategies, and Kevin Mahaffey, Lookout Mobile Security. Kevin says most powerful force in a company is security and privacy. However, no start-up starts with Chief Privacy Officer. Lookout uses a “New York Times test”: everything you’re doing can be published on front page, including how your product works. “Everyone complains about privacy policies, but the more you can communicate with users you can avoid a whole world of pain.”

Lauren: what if your device was stolen? You probably don’t want to notify the thief that the device is being tracked. What’s your threat model? Who’s looking for your data?

Kevin: you have a choice of encrypting data or password resets. There are constraints from many interests that will prevent you from doing what you want. Trust-e is doing some good work.

In mobile space, you have more options of notifying people. Different for platform vendors and mobile developers. For mobile developers, analytics and advertising libraries–the issue is that you’re using user data to determine value. Mobile breaks down in the types of data being collected, not disclosed properly in privacy policy. All SDKs collect lots of info, hashed (sometimes with improper salting, revocation). Inherent architecture in advertising is prone to surveillance-level collection. For example, advertising sometimes passes referrer info to track conversion rates, but is creating a “worse system around” the data. Kevin’s work is trying to make process more transparent.

Each platform makes decisions about how users are going to make decisions about their use of the device. Tremendous liability for companies that misuse customer data. Users are starting to weigh this as a decision point. Compliance is a smaller part of Lauren’s work–there’s a whole lot of unregulated stuff going on. She gives a company a “gut check” on what users would think of these practices, collecting location info and what’s reasonable notice, later translation into a document.

Compliance is not big for startups. The companies that succeed are likely to be those who handle privacy best in any new field.


Server location and data protection: different countries treat data variably, what about later when data is valuable? This is a really hard problem, best answer is locate servers in countries with best policies (Kevin Marks suggests Iceland). Have policies that spell out requirements: what you have, retention, is there another alternative to what’s normal procedures, etc. Other extremes: all user data is going into cloud such as Amazon services. This is an adjustment for people. Who holds the key?

New changes to Facebook? It’s a decision to work with them or not. Lauren doesn’t believe that Facebook-like practices will happen again. Using FB Connect is a decision to facilitate user authentication.

What do you think about AWS services, 80 page Terms of Service that allows a very invasive data policy in Amazon’s favor? Lauren: a lot of people are trusting what Amazon’s going to do. I’ve read their TOS and I don’t know what Amazon’s going to do. Important to ask about notice, what kind of policies need to be ported from cloud hosts into your products/services.

Not in this session but related: I Shared What?!? – a service that shows you what information you’re sharing when you use Facebook or FB Connect.

future, history, records, tools , , , , , ,

PII 2011: Implementing a Privacy Program

November 15th, 2011
Comments Off

This session is a “behind the scenes look at Micrsoft’s internal privacy program.” See the agenda for more information. Participants: Kim Howell, Reese Solberg, Michelle Bruno.

Kim Howell, (one of) Privacy Directors at Microsoft: When you’re doing a privacy review (practical, intuitive), you need to ask questions. Role playing with Reese as new company seeking a “privacy policy.” First questions (from our table discussions): what does site do, how do they collect info and what do they do with it? What’s their info flow path (is it resold?)? What’s their business model? How do you protect what you’ve collected? Controls by the individual (can visitors remove their data? remediation? transparency?)? Cookies? Other passive data collections? Countries involved (collection, use, storage)?

From Kim: Website: is this a new domain, link to privacy statement? existing privacy statement and does it match/make sure it covers everything? Data collection (see above). Send questions to new site/organization, get information, iterate. More questions: authentication, communication, vendors. Are people creating new accounts? use of email? data access requests? Vendors? Next round of questions: how well does IT + PR + Lawyers work together? Does privacy statement match the service? where’s plausible deniability? Make sure what’s required is clear, what’s optional. Provide better notice about use of information, data retention. Using HTTPS? How easy/obvious is it to obtain informed consent when signing up? Companies often think that writing a privacy statement at the last minute. (Wrong)

Next iteration: What new data is being collected? being sent where? other (new) features coming up? what info is shared? location: is it always being sent, or only in use when app is open? what other info (unique device ID, cell tower info, gender, etc.) is being sent with location data? data retention? If services changes, company may need to re-opt in application users. Privacy controls? (example of circulating the data within different departments of the company, “accounting department loves this data.”) Who needs access? for what use? access to raw data or aggregated statistics? Have data handlers been trained? Unique identifiers are not the only way of identifying a person. What’s intended use of collected data?

Michelle Bruno, Technical Privacy Manager: see printed case study (not online). Focus areas:

  1. Level setting: focus on use of customer data, customer expectations, opting out
  2. Author guidance: “how to” guides, privacy review checklist, company activities, data sharing, research and betas
  3. Position yourself: pro-business privacy message, culture of privacy as a value-add
  4. Piggyback: identify existing processes that you can take advantage of: spec templates, guidelines, bug tracking, testing, release management…
  5. Analyze and assess: comprehensive data-gathering plan to understand company’s risk
  6. Educate: pro-privacy contacts in each group to help succeed, spread work to peers about new process/resources
  7. Identify triage partners: incident handling, partnerships in legal, customer support, operations, PR
  8. Measure: what are your success metrics?

Questions: tension between user controls and corporate collections? Make sure value matches, is understood by both sides. Look at what business can put in place to allow better user controls. Microsoft has a federated privacy team, Kim’s team defines what compliance looks like.

Not mentioned in this panel but of some related interest (about Terms, not Privacy Policies): TOSAmend and EFF‘s TOSback.

future, history, records, tools , , , , , , , , ,