Rated P for Private? It’s Time to Re-think Privacy

Rated P for Private? It’s Time to Re-think Privacy

You probably know privacy is a thing of the past, that is unless you spend a lot of time digging for freshwater clams in marshlands of Loon Lake. Mark Zuckerberg said it years ago, but he thought it was a good thing. In the wake of the Equifax breach and Cambridge Analytica, the end of privacy is no longer scary. It’s neutral. We’ve reached a “Now What?” moment.

Is It the Algorithm or the Microphone?

We can all agree paranoia is bad for business, and there’s plenty to go around these days whether you’re on the marketing side of things, the breach side, or the consumer side.

With no expectation of privacy, we’ve become a little numb to the parade of stories–both reported by the media and anecdotal–of connected devices eavesdropping on us–serving ads for things mentioned in casual conversation. But we’re all online every day, and in the process leave a trail of cookie crumbs for marketers to find us. There’s no need for a hidden mic.

While many enjoy the convenience that facial recognition provides in retail micro-targeting products and services, others hate it. We’ve heard the cringe-worthy news about health apps sharing some of the more intimate details of our sex lives with Facebook, Google, and other third parties.

Some of us shrug it off. The convenience made possible by the forfeiture of privacy is worth it to them. For others, it is an unacceptable situation. This is unfortunate, because it’s not a situation. It’s new norm, and none of it inspires a feeling of security.

A worried customer or client is a hesitant customer or client. So, how do you ease that tension? I would argue that, ironically, you can do this by creating a high information environment, where everyone can make informed decisions about how they want to interact with businesses and services.

Moving Right Along…

The need to protect privacy no longer needs an introduction. There’s plenty of legislation. New privacy laws in New York and Nevada law will go into effect October, with California’s CCPA in January 2020. Maine and Vermont already have enacted stronger laws to that effect, and many states are expected to follow.

There’s a big “but” here. Without the right solutions provider navigating privacy law can be prohibitively expensive for small to medium-sized companies. Add to that the possibility of compliance costs in a marketplace with many different laws, and we have a potential company killer on our hands. Google may be able to weather a $170 million fine for non-compliance without flinching; most of us can’t.

A Modest Proposal

Once upon a time, Hollywood was faced with a similar situation. In the beginning, there was no ratings system and it was a problem. There were many family-friendly films and then there were those that would make Mae West blush, but there was no way for the audience to know which was which. The result was an opportunity cost. Some people avoided the movies because they were perceived as scandalous.

Enter the Motion Picture Producers and Distributors of America (MPPDA and later MPAA), which set guidelines later formalized as the movie rating system still used today. It’s not a perfect system, but the benefits outweigh its flaws. First of all, it’s voluntary. The MPAA created an opt-in industry standard, avoiding the need for legislation. The gaming industry also rates product.

Most importantly, it was end-user friendly. You don’t need to know anything about Rambo: Last Blood or Abominable to decide which is better for kids; one is Rated R and one is Rated G. A similar system might work for websites and apps.

Here’s a sketch of what that might look like:

P–Protected User: Data is either not collected or it is protected and in compliance with online standards such as the GDPR, CCPA, SHIELD, HIPAA, COPA or PIPEDA.

ND–Not Distributed: Personally identifying information is collected to personalize an experience (location, ad preferences, etc.) but it is not shared with third parties.

A–Anonymized: Non-identifying usage data is collected and shared with third parties. (Forget for the moment that there’s no such thing as anonymized data that can’t potentially be re-identified in today’s deep data environment).

S–Shared: User data is collected, shared, and/or sold to third parties. (Think: Naked in a glass house.)

If a collection of privacy and data use experts could get together on the creation of this rating system, privacy policies would no longer be so perilous.

Would it work? Online privacy is getting more complex with every new whizbang, regulation, law, court case, breach, compromise, and scandal. Any workable solution needs to counter that with a general approach that can be applied globally.

If this isn’t it, it’s time to figure out what is.

Like many companies our employees have been asked to work remotely,  there are benefits that remote working provides in helping the spread of coronavirus, but with it comes its own set of cyber risks.

Unsecured applications and remote data sharing

One of the initial “shadow IT” effects of the pandemic is that a slew of new companies had to facilitate new workflow processes and applications to accomplish their work tasks.  The use of cloud applications such as video conferencing tools, CRM systems, and workflow management tools have exponentially increased, with little or no consideration of the underlying risks to the customer’s data or the cybersecurity threat that they may be introducing.

As a general back practice, we recommend that companies should require employees to test their ability to work remotely. These tests should include at a fundamental level: 1) testing of internet connectivity bandwidth and security (ie a public hotspot would NOT be deemed appropriate), 2) rules concerning location and sharing of confidential data with another person that is in their household 3) the ability to shred and protect confidential information they may have printed.

Monitoring and control of cloud applications

Accessing company networks in an insecure manner is not a new risk, but its profile is raised by the prospect of an entirely remote workforce and the use today of many cloud applications that outsource functionality of key components of their business to third-party “partners”. Companies have in the past attempted to combat this risk through a combination of formal policies, such as a remote access policy, security policy, or BYOD policy, as well as security tools and by requiring access to company networks, shared drives, and sensitive corporate information through a virtual private network (VPN) if at all possible.

However, VPNs alone are not a bulletproof solution, since many websites allow connectivity directly to these cloud applications. Our analysis shows that many applications are now directly accessible through the cloud.

Written by Adam Levin

Leave a reply

Your email address will not be published. Required fields are marked *