Bravo to Google for Publicizing Their New Privacy Policy

Whether you like their new policy or not, Google deserves a huge credit for telling their customers about it at every touch. I started Gmail and there was a conspicuous notice to pay attention to their new privacy policy. Same thing when I did a search, used Google Voice, etc. Whether consumers read the summary notice, the full notice , or ignore it is something Google knows but I am glad they are doing it.



Cybersecurity/Privacy Predictions for 2012

Now that I am closing my consulting business and looking for my next great adventure I wanted to get advice from cybersec, privacy, and business leaders. I called this this “thought leader 2011 tour.” I wanted to know the issues that we’d be dealing with in the next year. Here are some common themes I heard:

a)     Big data – Online activities that leave easy-to-follow digital footprints which provide a rich profile of what we buy, where we go, who are our friends, and who we are. Hadoop and advanced analytics can drive innovation. Personal data is more valuable than gold. What is the appropriate balance between privacy and innovation?

b)     Data warehouse in your pocket – Smartphones can collect a treasure trove of data. Where you are, who are your friends, your speech, your shopping list, your health and diet data, etc. A smartphone is always with us and is always on. It is hard for end users to control their mobile privacy by deleting cookies or blocking unique ID’s identifying a specific phone. Protecting this info from bad guys and unscrupulous marketers will be of great concern in the future.

c)      The “personalized attack” – As the amount of personal info online grows it provides bad guys with the information they need to personalize an attack. This includes using info to guess your password reset question (“what is your favorite food”) or sending an email with malicious content from a friend or co-workers e-mail address. Personalizing the attack increases the effectiveness.

d)     Be prepared for the inevitable breach

e)     The merger of cybersecurity and privacy – In the past these organizations typically did not work closely. There needs to be a tight coupling to ensure that the right data is being collected and used as well as ensuring that it is protected. Protecting the “corporate gold” is a difficult task requiring collaboration.

Is 2012 about the Control of Data?

Big data, Hadoop, analytic’s were on many 2012 prediction lists including mine. Perhaps one of the important keys is “control of the data.” How does data enter an organization (directly from customers, purchased or shared from third parties), where does it reside (internal vs. external, US, outside the US), how is it processed, who can access and manage it, and archiving/deletion. With exabyte sized systems (thousands of petabytes), cybersecurity/privacy pro’s job will be tougher.

How NOT to Publicize Your Privacy Policy – Spotify.Com

I like the idea of giving users easy access to your privacy policy and terms of use. I wish more sites would not hide their policies. On the other hand when you put the policy in the face of your users (i.e.,when they log in), it should be concise, not written in legalese, and use proper English (or whatever language your site uses). I logged into Spotify.Com, the hot free music streaming service. Immediately the new privacy policy is in the users face.  First line: Spotify Terms and Conditions of Use. OK. Next sentence: Effective as from 14 October 2011. I guess this means effective as of October 14. Next sentence is absolute legalese. 62 words long and four lines of text. The next sentence is eight lines long. I continue reading. The entire agreement takes 26 mouse clicks to read. I defy anyone to read it in less than 15 minutes. My mom is very smart but she would have no idea what the words mean nor would she have the patience to read this. It doesn’t pass the “mom test.”

We privacy professionals have got to do better.



Privacy by Design: Key Concern for VCs and Start-Ups

When I was at AOL, I was a big proponent of “privacy by design.” When we detected a problem with an “existing” product, fixing it was often very expensive. Build in privacy from day 1. But not only does it apply to big established companies by start-up’s need to incorporate “privacy by design” principles into their business plans. I know that many VC’s are expecting to see cyberscurity & privacy included in the start-up’s business plans.

The URL below links to an article from the Information Law Group written for startups. It addresses:

  • Your business model
  • Your market
  • The legal risk environment
  • Integrating privacy by design


A Great Debate on the Limits of Privacy & Legislation to Restrict Data Use

In Vermont, unless a doctor consents, the state’s prescription confidentiality law now prohibits the distribution and use of prescriber-identifiable data for marketing purposes. This could change, depending on if the U.S. Supreme Court decides if this law is a violation of the First Amendment. Data-mining and pharmaceutical companies claim that the ban violates free speech rights.