Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2021
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Roger Clarke **
Cutter IT Journal 19, 11 (October 2006)
Pre-Print of 29 September 2006
© Xamax Consultancy Pty Ltd, 2006
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/APBD-0609.html
Yet more technological developments are in train, and the ongoing desire of corporations and their governments to 'know your customer' is resulting in even more exploitation of personal data. It's little wonder that privacy problems are breaking out with greater frequency and intensity. Corporations generally are dependent on people trusting them, but they are risking the loss of public trust, and, worse, earning distrust.
Effective privacy laws can contribute to overcoming this trust gap - although the USA lags badly in that area, and is only now showing signs of making up for lost time. But the primary responsibility for addressing the challenges rests with individual corporations, which need to adopt a strategic approach to privacy.
It was presumably meant to be a secret that the corporation's senior executives had undercover access to the phone records of journalists, and even of their own Board directors. The secret isn't a secret any more. Public indignation was likely, even if the company involved was fairly small. But the company was Hewlett-Packard, and hence the indignation has been amplified by the media, and a House of Representatives Committee has initiated a Hearing (Darlin 2006).
HP's woes deliver several key messages. One is that trust matters. Another is that initiating unauthorised access to personal data is seen by the world at large as an even worse sin than failing to prevent other people breaking in. And a further lesson is that you can only afford to ignore privacy issues up to a point, after which they can cause a great deal of harm both to the careers of individual executives and to the corporation's value.
HP is just another in an increasingly long line of privacy-related disasters to affect major corporations. 15 years ago, the then very successful Lotus Corp., working with Equifax, over-played its hand by developing a CD-ROM based product called Marketplace, that was intended to make large volumes of personal data widely available to business. Consumer protest killed it, and with it an entire business unit (Culnan 1991).
In 1999-2000, Intel's proposal to include a 'Processor Serial Number' in every chip in every PC was withdrawn in the face of a storm of public protest (McCullagh 2000). Also in 2000, Doubleclick's stock price suffered badly, after a lawsuit was initiated in California, and a complaint was filed by the Electronic Privacy Information Center (EPIC) with the Federal Trade Commission (FTC). These drew public attention to an impending violation of Doubleclick's assurances that personal data it collected about Internet users would remain anonymous (Chapman & Dillon 2002, Fields & Cohen 2003).
Another high-profile drop in market cap occurred during 2004-06, after ChoicePoint was shown to have been cavalier with personal data and agreed $15 million in penalties (FTC 2006).
Some of these episodes have affected only the company concerned; but others have had wider ramifications. The attempts by a variety of corporations to avoid publicity about data leakages led directly to legislation in California that is commonly referred to as 'Information Security Breach Notification Law' (Givens 2003). Fanned by a succession of news reports of subsequent security blunders, the fire has already spread to 34 US States, and provisions of a similar nature look likely to be enacted in further jurisdictions as well.
Corporate responses to privacy-related meltdowns have uniformly been both too little and too late. In the most recent example, HP sacked the independent Board Chair, appointed the CEO in her place, sacked the messenger/whistle-blower, and nominated an ex-executive as 'designated lead independent director'. The likelihood of the public furore being quenched by such a manoeuvre is very low: it gives rise to the question 'which part of 'independent' do these people not understand??'.
For its part, ChoicePoint merely tightened the security arrangements surrounding company data. That was certainly necessary. Many companies have been ignoring well-established security requirements, and need to rediscover the benefits of professionalism within the CIO's domain. But security represents only a fraction of the privacy field. The company has done next-to-nothing to address the broader problem, and more scandals are bound to arise.
It's time to re-think your corporation's approach to privacy.
After philosophers' debates about the intricacies of the notion have subsided, trust is simply confident reliance by each of us about the behaviour of others. Trust matters. Courtrooms and even contracts are only fallbacks, and are not at all about how business really works. The flipside, Distrust, matters even more, because a bad reputation is much harder to lose than a good one, and betrayal of trust is one of the worst sins in the entire human behavioural playbook.
To some extent, a trust profile is a neighbourhood phenomenon: in an industry sector that has a poor reputation, the mud sticks to even the cleanest company. So the investment your company makes in relevant industry associations can pay handsome dividends in the form of reductions in the distrust factor.
Most of the determinants of trust are, however, under the corporation's own control. One facet of the trust profile is the company's primary and subsidiary brands, and the positive images that are expensively inculcated in the public mind as being associated with those brands.
But investment in advertising and public relations can't wash away serious stains. A concrete test of how a company relates with its customers is to compare the contract terms and privacy policies that it imposes, against a consumer-friendly template. Recent research into the approaches of leading B2C corporations suggests that consumers have every reason to be seriously suspicious and even downright distrustful (Clarke 2006a, 2006c).
Other vital aspects of a company's track-record include its relationships with regulators and with representative and advocacy groups, its handling of media approaches and media reports, and its responses to individual enquiries and complaints. Standards exist that explain in simple terms how to implement inexpensive processes that deal with communications from the public, that ensure escalation under controlled conditions inside the organisation, and that prevent uncontrolled escalation in inconvenient external environments like newspapers and television. Managing the impact of bad news stories is an art-form, but hardly an unknown one. Without effective preparation, companies risk being unable to prevent a falling pebble turning into a landslide.
A concrete example of how distrust undermines business is the rolling data-security scare. This has evidenced itself in many ways over the last few years. Viruses started it. As technology and people came to terms with that risk, worms consolidated the animalistic threat. Then spyware burst on the scene. Whereas viruses and worms were associated in the public mind with Bulgarian vampires and computer science students, it's been all too apparent that spyware is used by corporations to monitor the use of software and of valuable content such as music and video, and as the basis for manipulative adware.
Microsoft is making belated, but very welcome, efforts to significantly reduce the insecurity of its Windows and Office products. In the meantime, existing insecurities are being exploited in order to establish networks of zombies. These 'botnets' enable widely scattered devices to be used for distributed denial of service attacks, and as way-stations for scattering spam around the net. Most recently, 'phishing' has shaken consumer confidence in what has been a highly successful category of eCommerce - Internet banking.
Many of these problems simply aren't the fault of any part of the business world; but that's not how the public sees it. It doesn't matter that phishing is just another form of social engineering, and that people have the solution at their own fingertips. People believe that they don't have the power to solve these problems, and they doubt that governments can do it; so they see the responsibility as lying with the corporate sector.
The focus of most of the scandals, and hence most of the discussion, has been on security. But that focus is far too narrow, because privacy is a big basket of issues and security represents about 1/12th of it. Of the many definitions on offer, the most practical is:
Privacy is the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations
Interpreting the ideas of interest, space and interference in particular contexts isn't the trivial exercise it might seem. The first challenge is that privacy encompasses multiple dimensions (Clarke 2006b). 'Data protection' is the most apparent. Too often overlooked is privacy of the person. In the corporate world, bodily intrusions have sprung to the fore, with demands for the provision of body fluids and for submission to biometric measurement. Privacy of personal behaviour is threatened by aural, visual and electronic surveillance and recording of individuals' actions, and of private places, public places and workplaces, including web-traffic monitoring. Finally, the privacy of personal communication involves issues that range across mail covers, telephone call records access and call interception, to email monitoring, interception and archive access.
Another source of complexity is the existence of several levels of need, which cause privacy to loom out of the mist at different times and in various ways. The need most commonly considered is the psychological one: people feel demeaned, and function less well, if they lack private space. At the social level, people need to be free to behave, and to associate with others, without the continual fear that they are being watched. If they do have that feeling, then their behaviour is 'chilled'. A further level is economic in nature. For progress to be achieved, people need to be free to innovate; and today's different-thinkers, who are generating tomorrow's new revenue streams, are by definition 'deviants' who attract opprobrium from conservatives. In Europe at least, a further layer of need is perceived, involving concepts of human dignity, integrity, individual autonomy and self-determination. In the USA, meanwhile, human rights are quivering under the twin onslaught of terrorism and its real and imagined antidotes.
A factor that sometimes perplexes observers is the capacity for privacy concerns to lie dormant for long periods, then suddenly emerge and build to an irresistible crescendo. The reason for this is the situationality or context-dependence of privacy concerns. Few people are interested in 'privacy in the abstract'. Most people aren't even greatly concerned about 'privacy in the specific', most of the time. It's not until an event impinges on a person's deeply-held values that some particular 'privacy in the specific' breaks through the veil of apathy.
A test of the situationality theory is what might be called PAG: the Privacy Advocate's Game. It's usually played at a dinner-party or at the bar, with a blunt, hearty, self-confident businessman challenging a privacy advocate with something like 'I hear you're a <spit> privacy advocate. Why??'. The correct PAG response is something like 'Well, people's attitudes to privacy depend on a lot of factors. For instance, did you realise that you're a privacy advocate too?'.
After pleasantries have been exchanged, PAG continues with the advocate permitted to paint three scenarios. The advocate wins if the other player admits to qualms in respect of any of the three. The bank of scenarios that the advocate can choose from is rich, ranging from the last few months' gift-list for your mistress or toy-boy being provided to your spouse, via your mother's gyno records being published, or perhaps all of your own financial institutions providing full transaction details to taxation authorities without a legal demand to do so, to (most reliably) ready availability of your daughter's mobile phone-number, current location, and travel habits.
Another factor in privacy-issue explosions is the pent-up frustration that comes from unreasonable corporate behaviour and inadequate procedures remaining unaddressed for long periods, simply because they're under the radar and not worth spending time, money and effort on.
There are corollaries of this 'privacy doesn't matter until it does' syndrome. A problem can snowball from even a single person, via the media, to a general perception that can do severe damage to a corporation's interests. Alternative metaphors have to do with steeply-flexed utility functions, and butterflies causing hurricanes.
The battles over privacy protection laws are about four decades old. That time has seen a lot of legislation passed, so frameworks exist within which a corporation can develop its approach to privacy.
Throughout Europe, and in Canada, Australia, and even Hong Kong, that framework is fairly coherent (Bennett 1992). Those countries' laws provide individuals with some rights, but they were all developed in a strongly corporation-friendly manner. The reason for that is that business and government got control of the agenda in the late 1960s, and established the 'fair information practices' movement. This is built on the principle that, whatever else privacy laws might do, they must neither prevent business and government performing their functions nor impose significant administrative burden (Rule 1974).
The USA has stood alone among economically advanced nations in refusing to enact comprehensive legislation. The continual bursts of public concern have resulted in a veritable blizzard of law - more than 700 at federal and state levels - all fairly narrow in their focus, overlapping, and highly inconsistent in their demands on the organisations that they're meant to regulate (Rotenberg 2004, Smith 2002).
A regulatory norm was established decades ago in the form of the OECD Guidelines (OECD 1980). The principles that document contains have been left behind by technology; yet even these have never been imposed on the U.S. private sector. A heavily pruned version was published as guidelines in relation to online privacy (FTC 1998). Then pressure from the European Union resulted in a marginally strengthened version being promulgated (USDoC 2000); but these are applicable only where personal data crosses borders, and in any case they are essentially unenforced.
The argument was put in Clarke (1999) that the need to overcome consumer reluctance to adopt eCommerce would result in a turnaround. The USA, the argument went, would accept that legislation and a publicly-funded watchdog are essential elements within the privacy-protective framework that is central to the information society and economy.
The momentum that was evident at the time was suspended for some years as a result of the terrorist attacks on the U.S. in 2001 and the subsequent dominance of national security over the public policy agenda. The momentum has recovered itself. Increasingly, businesses are recognising that they can't project credible messages about their respect for people's privacy without the legitimacy that genuine L-A-W law provides. In November 2005, Microsoft told the Congressional Internet Caucus that it has reversed its position of many years' standing and now supports a robust national privacy law to apply to all companies, on- or offline (Economist 2005). In June 2006, a Presidential hopeful launched a legislative initiative that she dubs the Privacy Rights and Oversight for Electronic and Commercial Transactions (PROTECT). It would represent "a Privacy Bill of Rights that secures the interests of consumers" (Clinton 2006). The launch was supported by a cluster of major corporations (CPLF 2006).
The adequacy of the Clinton/CLPF initiative is in doubt. It reflects the 'cut-down' version of 'fair information processes' that is expressed in the 'safe harbor' program. That successfully drew the teeth of the European Union's demands that the US enact genuine data protection laws; but it hasn't quietened the media, and it hasn't satisfied the public.
Because so many corporations still don't get privacy, the mild Clinton initiative may be watered down even further, or it may be lost completely. That would augur ill for companies facing ever more breakouts, and ever more kneejerk legislation to add to the hundreds of pieces of law already on the statute books. Red tape upon red tape which never adds up to genuine protections is the worst of both worlds - more costs and inconvenience for business, and no respite from public dissatisfaction.
In the meantime, the lack of a comprehensive framework for privacy protection represents an opportunity for early movers to Do It Yourself (D-I-Y). By applying to privacy the strategic planning approaches that your company applies more generally, you can not only avoid the downsides, but also reap the benefits of projecting the image of a privacy-sensitive organisation. This is all the more important if your company is applying new and intrinsically threatening technologies such as device location (Clarke 2001) and RFID (Nahra & Kuzin 2006).
In Clarke (1996), a few basic principles were suggested. They were:
A key tool is the technique of Privacy Impact Assessment (PIA - Clarke 1998). A PIA is a process whereby the potential impacts and implications of proposals that involve potential privacy-invasiveness are surfaced and examined. It is an inherently risk-based approach to understanding privacy issues, rather than one locked into legalistic rules. Properly conducted, a PIA ensures that benefits are maximised and that negative aspects are avoided or ameliorated. It pre-empts negative coverage by the media, and avoids unnecessary intervention by legislatures and regulatory agencies.
As part of a PIA, the organisation needs to identify potentially harmful contingencies, and pre-plan damage control procedures. Staff responsible for requirements elicitation and business process design need to find and solve privacy-related problems before they hit the bottom line. Defences against attacks through the media are far more credible if regulators and advocacy groups are aware of the organisation and its efforts to strike a reasonable balance. Being regarded positively by such organisations depends on ongoing consultation. There may be regulators who matter. There are very probably privacy advocates who do, and possibly some groups that are representative of the kinds of people who you deal with. Complement formal meetings with such organisations with focus groups of your real customers, your prospects, and the people who you'd like to draw into your customer-base. The modern era of extra-organisational systems demands a widely-inclusive definition of stakeholders (Clarke 1992).
The coming years will see a lot of powerful technologies being talked up by suppliers and trialled by businesses. These will generate yet more public nervousness about privacy, and hence more media extravaganzas, Congressional grandstanding, and public humiliation for the culprits.
If you don't want yourself and your company to go through what ChoicePoint did, and what Hewlett-Packard is currently experiencing, treat privacy as a strategic factor.
Bennett C. (1992) 'Regulating Privacy: Data Protection and Public Policy in Europe and the United States' Cornell University Press, New York, 1992
Chapman S. & Dhillon, G. (2002) 'Privacy and the Internet: the case of DoubleClick, Inc.', in Dhillon G. (Ed.) 'Social responsibility in the information age: issues and controversies' Hershey PA, Idea Group Publication
Clarke R. (1992) 'Extra-Organisational Systems: A Challenge to the Software Engineering Paradigm' Proc. IFIP World Congress, Madrid, September 1992, at http://www.rogerclarke.com/SOS/PaperExtraOrgSys.html
Clarke R. (1996) 'Privacy, Dataveillance, Organisational Strategy' Keynote Address for the I.S. Audit & Control Association Conf. (EDPAC'96), Perth, 28 May 1996, at http://www.rogerclarke.com/DV/PStrat.html
Clarke R. (1998) 'Privacy Impact Assessment Guidelines' Xamax Consultancy Pty Ltd, February 1998, at http://www.xamax.com.au/DV/PIA.html
Clarke R. (1999) 'Internet Privacy Concerns Confirm the Case for Intervention' Commun. ACM 42, 2 (February 1999) 60-67, at http://www.rogerclarke.com/DV/CACM99.html
Clarke R. (2001) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Information Technology & People 14, 2 (Summer 2001) 206-231, at http://www.rogerclarke.com/DV/PLT.html
Clarke R. (2002) 'Trust in the Context of e-Business' Internet Law Bulletin 4, 5 (February 2002) 56-59, at http://www.rogerclarke.com/EC/Trust.html
Clarke R. (2006b) 'What's 'Privacy'?' 7 August 2006, at http://www.rogerclarke.com/DV/Privacy.html
Clarke R. (2006c) 'A Major Impediment to B2C Success is ... the Concept 'B2C' Invited Keynote, ICEC'06, Fredericton NB, Canada, 14-16 August 2006, at http://www.rogerclarke.com/EC/ICEC06.htmlClinton H. (2006) 'Senator Clinton Calls for New Privacy Bill of Rights to Protect Americans' Personal Information' U.S. Senate, 16 June 2006, at http://clinton.senate.gov/news/statements/details.cfm?id=257234&&
CPLF (2006) 'Statement of Support in Principle for Comprehensive Consumer Privacy Legislation' Consumer Privacy Legislative Forum, 20 June 2006, at http://www.cdt.org/privacy/20060620cplstatement.pdf
Culnan M.J. (1991) 'The Lessons of the Lotus MarketPlace: Implications for Consumer Privacy in the 1990's' Computing Professionals for Social Responsibility, 1991, at http://www.cpsr.org/prevsite/conferences/cfp91/culnan.html
Darlin D. (2006) 'Embattled H.P. Chairwoman to Step Down' The New York Times, 12 September 2006, at http://www.nytimes.com/2006/09/12/business/13hewlettcnd.html?ei=5087&en=f932c7413ca7c72d&ex=1173672000&adxnnl=1&adxnnlx=1158090415-IwqEQTFE8ny1LUZfmgqV1A&excamp=GGBUhpnews
Economist (2005) 'Demon in the machine: Privacy laws gain support in America, after a year of huge violations' The Economist, 1 December 2005, at http://www.economist.com/business/displayStory.cfm?story_id=5259499&no_na_tran=1
Fields T.D. & Cohen J. (2003) 'Case Study: Doubleclick Inc.' Harvard Businss School Case Study 9-103-016, 2003
FTC (1998) 'Privacy Online:A Report to Congress' Federal Trade Commission, June 1998, at http://www.ftc.gov/reports/privacy3/toc.htm
FTC (2006) 'ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress' Federal Trace Commission, 26 January 2006, at http://www.ftc.gov/opa/2006/01/choicepoint.htm
Givens B. (2003) 'California Security Breach Notification Law Goes into Effect July 1, 2003' Privacy Rights Clearinghouse, 23 June 2003, at http://www.privacyrights.org/ar/SecurityBreach.htm
McCullagh D. (2000) 'Intel Nixes Chip-Tracking ID' Wired News, 27 April 2000, at http://www.wired.com/news/politics/0,1283,35950,00.html
Nahra K.J. & Kuzin J.W. (2006) 'RFID Vendors Need a Privacy Strategy' RFID Journal, 19 June 2006, at http://www.rfidjournal.com/article/articleview/2428/1/82/
OECD (1980) 'OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data' Organisation for Economic Co-operation and Development, Paris, 1980, at http://www.oecd.org/document/18/0,2340,en_2649_201185_1815186_1_1_1_1,00.html
Rotenberg M. (2004) 'The Privacy Law Sourcebook', EPIC, 2004, from http://www.epic.org/bookstore/pls2004/
Rule J.B. (1974) 'Private Lives and Public Surveillance: Social Control in the Computer Age' Schocken Books, 1974
Smith R.E. (2002) 'Compilation of State and Federal Privacy Laws', Privacy Journal, 2002, supplement 2005, from http://www.privacyjournal.net/work1.htm
USDoC (2000) 'Safe Harbor' U.S. Department of Commerce, 2000, at http://www.export.gov/safeharbor/sh_documents.html
Anderson A. (2006) 'Effective Management of Information Security and Privacy' EDUCAUSE Qtly 29, 1 (March 2006), at http://www.educause.edu/apps/eq/eqm06/eqm0614.asp?bhcp=1
Cavoukian A. & Hamilton T. (2002) 'The Privacy Payoff: How Successful Businesses Build Consumer Trust' McGraw-Hill Ryerson Trade, 2002
Clarke R. (1996) 'Privacy, Dataveillance, Organisational Strategy' Keynote Address for the I.S. Audit & Control Association Conf. (EDPAC'96), Perth, 28 May 1996, at http://www.rogerclarke.com/DV/PStrat.html
Korba L., Song R. & Yee, G. (2006) 'Privacy Management Architectures for E-Services' National Research Council of Canada, 2006, at http://iit-iti.nrc-cnrc.gc.ca/iit-publications-iti/docs/NRC-48271.pdf
Sarathy R. & Robertson C.J. (2003) 'Strategic and Ethical Considerations in Managing Digital Privacy' Journal of Business Ethics 46, 2 (August, 2003) 111-126
Smith H.J. (2004) 'Information Privacy and its Management' MIS Quarterly Executive 3, 4 (December 2004) 201-213
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.
Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 22 September 2006 - Last Amended: 29 September 2006 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/APBD-0609.html