Archive

Posts Tagged ‘privacy’

PII 2011: Implementing a Privacy Program

November 15th, 2011
No comments

This session is a “behind the scenes look at Micrsoft’s internal privacy program.” See the agenda for more information. Participants: Kim Howell, Reese Solberg, Michelle Bruno.

Kim Howell, (one of) Privacy Directors at Microsoft: When you’re doing a privacy review (practical, intuitive), you need to ask questions. Role playing with Reese as new company seeking a “privacy policy.” First questions (from our table discussions): what does site do, how do they collect info and what do they do with it? What’s their info flow path (is it resold?)? What’s their business model? How do you protect what you’ve collected? Controls by the individual (can visitors remove their data? remediation? transparency?)? Cookies? Other passive data collections? Countries involved (collection, use, storage)?

From Kim: Website: is this a new domain, link to privacy statement? existing privacy statement and does it match/make sure it covers everything? Data collection (see above). Send questions to new site/organization, get information, iterate. More questions: authentication, communication, vendors. Are people creating new accounts? use of email? data access requests? Vendors? Next round of questions: how well does IT + PR + Lawyers work together? Does privacy statement match the service? where’s plausible deniability? Make sure what’s required is clear, what’s optional. Provide better notice about use of information, data retention. Using HTTPS? How easy/obvious is it to obtain informed consent when signing up? Companies often think that writing a privacy statement at the last minute. (Wrong)

Next iteration: What new data is being collected? being sent where? other (new) features coming up? what info is shared? location: is it always being sent, or only in use when app is open? what other info (unique device ID, cell tower info, gender, etc.) is being sent with location data? data retention? If services changes, company may need to re-opt in application users. Privacy controls? (example of circulating the data within different departments of the company, “accounting department loves this data.”) Who needs access? for what use? access to raw data or aggregated statistics? Have data handlers been trained? Unique identifiers are not the only way of identifying a person. What’s intended use of collected data?

Michelle Bruno, Technical Privacy Manager: see printed case study (not online). Focus areas:

  1. Level setting: focus on use of customer data, customer expectations, opting out
  2. Author guidance: “how to” guides, privacy review checklist, company activities, data sharing, research and betas
  3. Position yourself: pro-business privacy message, culture of privacy as a value-add
  4. Piggyback: identify existing processes that you can take advantage of: spec templates, guidelines, bug tracking, testing, release management…
  5. Analyze and assess: comprehensive data-gathering plan to understand company’s risk
  6. Educate: pro-privacy contacts in each group to help succeed, spread work to peers about new process/resources
  7. Identify triage partners: incident handling, partnerships in legal, customer support, operations, PR
  8. Measure: what are your success metrics?

Questions: tension between user controls and corporate collections? Make sure value matches, is understood by both sides. Look at what business can put in place to allow better user controls. Microsoft has a federated privacy team, Kim’s team defines what compliance looks like.

Not mentioned in this panel but of some related interest (about Terms, not Privacy Policies): TOSAmend and EFF‘s TOSback.

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

future, history, records, tools , , , , , , , , ,

IIW XIII: PDEC Technical Documentation Group

October 20th, 2011
No comments

Markus pointed out that the purpose of PDEC is to help coordinate and educate, facilitate dialog in the system. Most of our current work is on the legal and business level, and also needs to happen on technical level. PDEC is trying to catalyze the ecosystem. One of the important promises of the ecosystem is the interoperability; needs some technical work/agreement/understanding. We’re not about setting standards, we’re about discovery, conversation, documentation. Technical profiles of the different projects, what exposed schemas and APIs, how it’s exposed, what strategies are in use.

Proposal to collect a set of questions that will help inform the dialog:

  • data model/schema for personal data
  • technology endpoints: API, network protocols, interface
  • what do they offer: query, import/export, update, delete
  • technology for protecting privacy/control: cryptography?
  • client support: mobiles? desktop? browser plug-ins?
  • developer resources: libraries? wikis?
  • notion of identity: un/pw?
  • architecture: centralized? open?
  • data portability

Interoperability:

  • What’s required to establish interoperability?
  • What’s in their future plans?
  • Can your project work with someone else’s project?

Documentation steps:

  1. Document technical profile — with temporal attribute (what tech now, what changes coming?)
  2. Interoperability: do you have interoperability with another member of the ecosystem? or planning to do?
  3. (TBD)

Proposal suggested that we put a set of questions up and propose member organizations post responses (RSS or other) to help “cat herding” of the information. Proposal suggested to organize info in three columns: name, tech keywords, brief description. Proposal to pre-define businesses (personal data store) then differentiate between those companies/projects. Some questions won’t apply equally to all companies in the startup circle.

Survey Examples (does this format work?):

Technology Personal.com Locker Project Gluu/SAML
appliance
Data model/schema own schema (gems) x x
Tech for sharing RDF endpoints, oAuth? x XDI, LDAP, SAML for federation
Protecting privacy/controls x x x
Client support x x x

Need to do more thinking on how to collect/organize this information.

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

future, history, records , , , , , , , , , , ,

What They Know

June 4th, 2010
No comments

looking through a lens (at a suspicious expression on girl's face)The information sharing industry is pretty opaque to most people. We have no idea what “they” know about us. Moreover, it can be infuriating when certain companies make assumptions about us that are clearly erroneous. It can be absolutely unnerving when total strangers strike a little too close to the bone.

It’s instructive to find out what they know! Several years ago (2006), my friends at Privacy Rights Clearinghouse wrote a post called For the New Year, Resolve to Check Yourself Out that will help you do this. Their list of resources will help you understand who you are from the perspectives of your:

  • Credit history
  • Medical Information
  • Bank account history
  • Insurance claims
  • Public records
  • Search engines

I’d add one point to their last bullet. If you have an account on Google, you can now go into your Google Account Settings (look for the link in the upper right corner to Settings). Under Personal Settings, look for Dashboard: View Data Stored with this Account. It’s a view of what Google knows about you.

Coaching moment: It can be both overwhelming and empowering to know this much about your world. Fortunately, the overwhelming feeling can be countered by putting the story together and taking control of the problems. You’re creating a story, a narrative of who you are. Fix your problems if you can. Imagine a world in which you controlled your own information and others came to you for it. That world might be highly customizable in ways that were unique to you. What would that look and feel like?

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

future, history, records , , , , , , , , , , , , , , , , , , , , , ,

On Data and Disclosure

December 15th, 2009
No comments

I like to think about ways to customize my world, and the digital world writ large, in ways that support and help us explore our unique selves. It is in our very diversity that individual strengths can play out to become our personal best, to help each other grow, and create fertile new worlds.

However, under the guise of “increased security,” we are increasingly surrounded by tools and technologies that minimize and standardize us, including video surveillance and data storage and analysis. About that last link to Google, CEO Eric Schmidt recently said “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.

This indiscriminate personal data hoarding is both an individual and a societal problem. Schmidt’s argument that we shouldn’t have anything to hide is specious (not to mention a double standard: it doesn’t apply to Schmidt). In a 2007 paper called ‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy, George Washington University Law School’s Daniel J. Solove convincingly critiques that argument. Indeed we have many things to hide, like our passwords and credit card numbers, certain personal habits and preferences, things that contribute to human dignity and respect. As noted security expert Bruce Schneier writes in his essay The Eternal Value of Privacy, “Too many wrongly characterize the debate as “security versus privacy.” The real choice is liberty versus control.”

Ironically, Gary Wolf and Kevin Kelly host a blog called The Quantified Self where they report about people exploring ways to keep track of themselves. It’s a significant difference between curiosity, personal need, and voluntary disclosure that’s driving data sets, and corporate ventures like Facebook (nod to jerking you around again with recent privacy policy changes), Google (Schneier’s response to Schmidt’s quote above), and damned near every corporate site you make an account with and that tracks your every move these days.

I’m looking for examples of sites that encourage liberty and demonstrate some respect for its users/clients. I will be reporting on what I find. If you have suggestions, I welcome them.

Coaching moment: Here’s a little thought exercise. Think about a typical day in your life.

What kind of things do you do in private? These might be taking a shower, brushing your teeth, thinking about the day. Some things might be really private as in just you by yourself, and other things may be private in some context, like thinking about your day out loud with your spouse or partner. Once you get a good list, which of those things would make you uncomfortable if they were made public in some way?

Now think of the kind of things you do in public, like driving to work or the store, walking around, having a conversation over lunch. Think about stories that might be told about you from the perspective of not knowing what you were really doing. You might take clues from signs that you walk by, or maybe other people (posture, groupings, facial expressions). Can you think of any stories that are not only wrong but might hurt you?

Finally, think about your online tools. Have you actually looked at the Terms of Service or Privacy Policies that you’re agreeing to? If you knew they were disrespectful to you or even abusive of your personal self and liberty, would you stop using them? Since the answer is “probably not,” what would you suggest these companies change?

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

friends/family, future, history, records, tools , , , , , , , , , , , , , , , , ,

Future Imperfect

May 15th, 2009
No comments

This post is going all geeky on you. There’s a mission and a method to my madness, and I mean madness in the most forward thinking way. After all, if we don’t have a vision or a dream, what makes up the color in our future?

First up is Fred Wilson’s presentation from a talk that he gave at Google. Note that even though these are just the slides, Wilson gives you a clear idea that there’s something disruptive going on.

Second up is a report from JD Lasica and the Aspen Institute entitled Identity in the Age of Cloud Computing (PDF, purchase). Lasica points out that the disruption is all about identity, personal empowerment, and benefits to society and commerce all around. From his report:

Excerpt: Why the Cloud Matters

According to Newsweek: “At the end of August [2008], as Hurricane Gustav threatened the coast of Texas, the Obama campaign called the Red Cross to say it would be routing donations to it via the Red Cross home page. Get your servers ready—our guys can be pretty nuts, Team Obama said. Sure, sure, whatever, the Red Cross responded. We’ve been through 9/11, Katrina, we can handle it. The surge of Obama dollars crashed the Red Cross website in less than 15 minutes.”

The New York-based tech start-up Animoto, which lets users create professional-quality, MTV-style videos using their own images and licensed music, was averaging 5,000 users a day until it suddenly received a burst of new users who discovered it through Facebook. Its traffic surged to 750,000 visitors over three days. The number of servers Animoto was running on jumped from 50 to 3,500 during that span of time. “It was just numbers we never imagined we would ever see,” chief technology officer Stevie Clifton told a Seattle newspaper. “It was fun and scary and pretty cool.” Thanks to AmazonWeb Services, Animoto’s servers did not crash, because Animoto does not have any servers. It outsources its computing power to Amazon.comand pays only for what it uses. The ten-employee company is now expanding. Amazon CEO Jeff Bezos touts Animoto as the poster company for cloud computing.

The tales of the Red Cross and Animoto neatly sum up the contrast between the former economy and the emerging cloud economy. If the Internet economy is an apt descriptor of the changes taking place around us today, then the term cloud economy could justly be ascribed to the still larger global disruptions ahead. Google CEO Eric Schmidt has called this “the cloud computing age.”

Coaching moment: Sometimes people I talk with say that they feel like a lone wolf howling at the moon. Most of the time these people are visionaries or idealists that don’t have a common public voice. The crowd hasn’t discovered the conversation yet. Identity is one of those conversations. It’s a relatively small group talking about a subject that everyone will be impacted by, and that the future will be shaped by (one way or another).

If you’re one of the lone wolves, take heart. Keep up the good work. The more we tell the story, the better we get. The better the story becomes, the more people will want to hear it. The time is good to explore, discover, think, discuss, and practice telling the story. Not everyone is ready to hear it yet, which is ok. All things in time.

[del.icio.us] [Facebook] [LinkedIn] [Ma.gnolia] [Technorati] [Twitter] [Email] More »

future, history, records, tools , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Switch to our mobile site