Reversing Negative Privacy Behaviors Using a Didactic Approach

There is an old phrase of death by a thousand cuts. This simple and oft used phrase refers to a slowly occurring negative change, so slow that we often don’t seem to notice and even go as far as to adjust and accept the inevitability of the path that we’re on.

Personally this is what I believe many of us have come to accept when it comes to privacy in the digital age. When a new gizmo or website presents us with a new way of improving our life – we ignore the voice in our head and click through the privacy policy, fill in answers to questions, link other systems to the one we’re in and trade one more small slice of our privacy for convenience.

In fact – I think this picture depicts what it is like – we are led by these tiny morsels of goodness – in trade for heading in a direction. Like Pavlov’s experiment we are trained slowly and in the smallest increments that it is ok to divest our ownership of our own information and acquiesce future control over the use or modification of the information.

The problem with this learned behavior is that the incremental loss of authority, access, and provenance of our data has to eventually lead to bad outcomes. Are all of the data collection systems bad? Not in the least. However as technologies such as the Internet of Things, Cloud, and Big Data – continue to develop ways to create, collect, harvest, and analyze data about us – we are assisting the populating the data warehouses.

So that gets us to what can we do about it? Thankfully there are a number of companies that are starting to tackle just that problem. One example is a company called Lookout which is a mobile app that helps a mobile user digest the privacy policy. We need products that alert us and teach us how to protect our privacy. One of the best models I’ve seen for this kind of teaching method is what Toyota has included in its Prius dashboard.

 

If you’ve ever driven one – it has a visual feedback mechanism that gives the driver positive feedback when driving economically. I’ve personally experimented with it and if I ignore it and drive it like a big V8 – foot to the floor when the lights change, drive at 80+, etc. I get as little as 40 MPG. If I drive it paying attention to all the feedback and the conditions are right I learn to drive in a way that I can get between 54-60 MPG which is a huge difference in mileage.

This is what we need in privacy – companies that are not leading us down a path of complete exposure but down a path that teaches us how to be far more aware of our privacy risks and alert/monitor that what we are sharing is the right data at the right time. With as complete an understanding of what the data is going to be used for and how as it is put to use. This applies to data in all three phases – in use, in flight, and at rest.

I’m excited because for the longest time privacy protection wasn’t monetizable – companies can’t exist without revenue and wouldn’t be able get investors interested without a solid economic model. Recent events have catalyzed innovation in privacy that have created interest in the VC community as well as for entrepreneurs. I will be talking these exciting new companies over the coming weeks and months on this site.

It is good to be back and a very exciting time for privacy.

Wayne

Advertisement

Rethinking Privacy in the Digital Age

I’ve been teaching grad school for the past couple of years with the desire to eventually be able to create a course on a subject that is near and dear to my heart – Privacy. Well that time has finally come as I’ve been hard at work developing a course that has practitioner and theoretical content. The course includes combining four ways to frame privacy – legally – different laws by state and data type, technically – PETs and surveillance systems, regulatory – FTC/FCC/OECD, and socially – Facebook/Linkedin,and more.

Here is the announcement from the director of the program (and one of my mentors) Dr. Maria Garcia:

“Greetings, Students!

Are you concerned about the privacy and security of your personal data? Do you work in an industry that manages sensitive data? Read on!

 

All businesses know the importance of safeguarding confidential data. This practice is no longer limited to companies subject to regulation, such as healthcare, education, and financial services. With increased access to personal information via social media and consumer products, such as smartphones and gaming systems, the growing risk of exposure affects everyone, personally and professionally.

 

With this in mind, Franklin Pierce is launching a new course – Rethinking Privacy in the Digital Age. In this class, students will learn the fundamentals of privacy – its origins, risks, and protections. Learn how to assess the value of your and your customers’ privacy when data is shared through online systems designed to use your information as currency.

 

Rethinking Privacy in the Digital Age (GI 590) will be offered at the Manchester, N.H. center in an eight-week hybrid format; hybrid classes meet every other week and classwork is completed online during the alternate weeks. The class begins on Tuesday, April 24, 2012 and ends on Tuesday, June 12, 2012.

 

I can’t begin to tell you how excited I am! The sessions are going to include debates on for/against advertisers and commercial companies rights verses the individuals rights, an exercise writing a privacy bill, practical experience trying to gather information on others, and reviewing the new FTC privacy framework just published this week.  If you have 8 weeks to spare – come join us! I know we will all learn something about privacy together and you get graduate or undergraduate credits as well.

Hope to see you there!

/Wayne

Part 2 – Choosing the Assessments

Once I had detailed the research questions I next needed to decide what privacy assessments I was going to use. First I looked to the security instruments out there to see what they had and found that several of the common security instruments did have a few questions that pertained to information privacy they were by no means comprehensive. For example the ISO/IEC 27002:2005 instrument has sections on privacy policy management and data classification but is missing specifics on notice, use, or retention as examples. The next place to look was for books on privacy assessments. Again though I found books that contained sections on privacy such as Debra Hermann’s book “Complete Guide to Security and Privacy Metrics” only about 10% of all the metrics listed were US-centric privacy metrics. US-centricity was a self-imposed requirement to managed the scope of this research.

Next approach was to try something that I figured this would be an easy step – run a few searches on the Internet and I’d probably have too many privacy assessments to choose from. Instead what I got was a lot of commercial consulting companies that have all developed their own assessments. Now what? More searches – only directed and emails to friends and friends of friends! I found three that seemed to be pretty good choices and also finding them detailed in an article written by Roger Clarke on Privacy Impact Assessments helped support the use of them.

DHS/DOJ Privacy Impact Assessment – The first one is the only mandated privacy assessment in the US which is mandated by the DHS/DOJ when deploying a new government system (also someone government specific as well). Since it is a privacy impact assessment it is designed to be used as a ‘pre-assessment’ before a system is implemented. I couldn’t determine the provenance of the DHS/DOJ PIA but I had to assume that it is a ‘best practice’ and is reviewed by the office of the CPO. Also the DHS/DOJ PIA only has 40 questions in it making it the briefest of assessments.

ISO/IEC 22307:2008 Financial Services Privacy Impact Assessment – This is an international standard and is financial services biased. It is also a pre-assessment instrument and has a total of 102 questions. I had to purchase this assessment for my research from ANSI who manages ISO standards here in the US.

SharedAssessments Privacy Assessment – Shared Assessments is a not-for-profit group that was created by leading financial institutions and accounting firms. The instrument I used was an earlier version and was freely available. However if you wish to access the tools today you have to become a member.The SharedAssessments tool that I used has 127 questions.

So these the three assessments I used. In my next post I’ll talk about the cloud providers I choose and why.

thanks,

Wayne

p.s. There is a bit of irony that I want to mention – a complete book on privacy impact assessments was published just recently that may be useful if you are interested in knowing more about this topic: Privacy Impact Assessment (Law, Governance, and Technology Series).

Part 1- An Introduction to my Dissertation Research

Over the next few months I’ll finally be able to come out of hiding … not that I’ve been doing anything stealthy or that exciting even. I’ve been working on completing the hardest thing I’ve ever under taken in my life – a PhD. Four and a half calendar years and literally well over a thousand hours of time. For some I guess this is something they know they are going to do when they are young and full of energy and strong of heart and mind but for me this was my mid-life-crises.

Anyway – the coolest outcomes are: I definitely think a little different about things and the research that I got to do has some interesting and (I think) valuable results.

My initial goal was to do something epic, far reaching, and somehow alter the way we think about things. Did I accomplish that? Yes for me I did. I had some outstanding help from some great minds on my dissertation committee that helped me to explore a few things that will add to the science regarding privacy. I learned a lot from the body of knowledge already out there, from and about myself, and from those who supported me through the process.

The topic of study was “An Empirical Study of Privacy Risk Assessment Methodologies in Cloud Computing Environments” the initial abstract was published here and it has changed to look more like this. The abstract is not the only thing to change – the hypothesis changed, the research questions changed, and even the methodology changed. Fortunately what didn’t change was the data.

For this post I’m just going to share the research questions:

Q1.Do existing privacy assessment methods adequately assess privacy risk exposures of cloud computing for the enterprise?

Q2.By using the scoring system (outlined in the methodology section) are the new characteristics in cloud computing such as on-demand/self-service, broad network access, measured services, shared resources, and elasticity adequately evaluated or accommodated in existing privacy assessment methods?

The drivers for these questions were based on some basic phenomena that I had observed 4 years ago when I started looking for problems to explore. First and foremost I was (and still am) so excited about cloud computing. In my opinion Cloud is the most interesting technical thing to happen since the 80’s and Vax/VMS clusters ruled the computing world. The second thing that I realized was that privacy was also a domain that seemed to be important and was so incredibly polarizing with my peers in school and colleagues at work. The last thing that I noticed was that we seem to have this blind belief system and trust in assessment methods. Security folk call it checklist compliance – find a good checklist, check things off, and everything will be fine.

In the privacy domain risk assessments are very immature compared to the security world. Also what got me thinking about all this was – who says we’re asking the right questions? When we’re done why can’t we have a risk score like with our credit card score? I found some work done by Dr. George Yee (Estimating the Privacy Protection Capability of a Web Service Provider) that became the basis for my inquiry – how do we get assurances of privacy when we connect with web service providers?

More to come soon …

/wayne

Being Mentored

 

Over the decades (yeah – decades) – I’ve had the opportunity to be mentored by many great people all through my career. 25+ years later I still seek out people who can guide and teach me new things and new ways to think. When I first started in the IT business I was a typical wet-behind the ears kid with an extremely curious side to me. I worked as a machinist for a company that made X-Ray equipment. I’d managed to get some college under my belt but wasn’t consistently going to school. I think one reason was I was making enough money to survive and part of it was I really didn’t find the domain I was studying (mechanical engineering) particularly interesting.

At the time the first “home” computers were coming out and I managed to acquire one and became completely infatuated with it. In no time I got pretty good at making it do stuff including things it wasn’t even really designed for (6502 assembly rocks!). One day my companies TRS80 that kept the warehouse inventory on it decided to eat a floppy disk with the inventory. Losing the inventory meant we all had to go home for the day while they tried to figure out what to do. Since I had time on my hands I decieded to go see what was up and offered to try to repair the disk. I ended up writing something that read all the blocks off the disk that were good – which was 99.9% of the inventory. Needless to say – things changed after that – I got offered a job as the system admin of our “mini-computer” almost immediately which was going to run a “real” MRP2 system. I didn’t know anything about mini-computers – but hey! I was now working in the field I really seemed to have a knack for and really was having a lot of fun too.

The manager of the IT department had a PhD and also did real-time microprocessor programming R&D for the companies X-ray systems. Once I got my sea-legs in the new job I started troubleshooting problems. I’d go to his office, ask for help, and he would ask what’s up? I’d explain the problem and he would always asked if I looked the error up in the manuals? and those first few times I’d always say no and he’d give me the look over his glasses that sent me on my way. I’d look the error up, chase the possible solutions through the manuals, narrow them down to the 1-2 most likely and go back to his office. He’d ask me what I learned and I’d tell him what I read and what I thought the problem was.

He’d ask how would I prove it was the right solution and he’d listen to me explain the approach and sometimes he would have to make a small adjustment or two so that I didn’t take the systems down or break something.  This went of for a good number of weeks until I realized that I might as well look stuff up, prioritize the solution, and then go tell him what I planned to do. Years later he confessed that he didn’t know any of the answers to my questions – what he did know was how he would go about seeking the answers. At the time I hadn’t realized all he did was mentor and teach me how to solve problems on my own.

 

My advise is if you are going to spend the time looking for a mentor – find someone who is not close to your skill and capabilit. Find someone who will stretch your abilities the most. Once you hit your stride with their help – you can achieve things beyond what you thought was possible.

 

I’ve had the benefit of a plethora of mentors I’ve also been able to shape my career from what I learned from them. I am, and always will be,  incredibly grateful and indebted to all of them. Just four years ago I started work on a PhD and decided I wanted to find a sponsor at work who would provide some guidance and oversight for my research. After knocking on more than twenty doors, and dozens of  meetings/calls, I found someone who was willing to shepherd my research and take on the added responsibility of being on my dissertation committee. He is one of the giants in the security industry, Dr.  Burton Kaliski, founding scientist at RSA. For over two years he mentored me as a budding researcher and scientist. Most recently I’ve been working on several patents in privacy and once again I reached out to someone who knows a lot the innovation process – Steve Todd EMC Distinquished Engineer. Steve has written two books on the topic and has over 15o patents filed, making him one of the most prolific inventors I’ve ever met. Both of these people are giants in the areas I wanted to learn more about.

 

In grad school I took a leadership course that taught us that to be a good leader you also had to be a good follower. In my next post I’ll share my thoughts on taking on the roll of mentoring and why I believe that if your are going to have a mentor find a way to give back and mentor someone yourself.

/wayne

Information Handling – Top 10 Information Tenets for the Cloud

   My new role at EMC is to teach people to be Virtual Data Center (VDC) and Cloud Architects. For me this is a great privilege and an incredible learning experience – and a chance to build trust in the cloud one architect at a time.

   During the process the team of course developers researched hundreds if not thousands of papers, read numerous books  (such as Nicholas Carr’s The Big Switch: Rewiring the World, from Edison to Google, David Linthicum’s Cloud Computing and SOA Convergence in Your Enterprise, Jeff Barr’s Host Your Web Site in the Cloud, Scott Lowe’s Mastering VMware  vSphere 4, and Edward Heletky’s VMware vSphere and Virtual Infrastructure Security to name a few), tons of blogs, and reviewed websites of manufacturers and consultants too numerous to list. We also spent time reviewing the standards and emerging standards developments such as the Cloud Security Alliance (CSA),  the European Network an Information SecurityAgency (ENISA), Also the great work that the National Institute of Standards and Technology (NIST) have been doing – all of which we’ve incorporated their guidance and definitions into the class.

   One of the modules included in the VDC and Cloud Architect course we’ve developed includes a Governance, Regulatory, and Compliance (GRC) section that I developed focused on VDC and Cloud GRC definitions and processes. As I’ve had a chance to first research this in-depth and to teach it to over 50 people now I’ve come up with a list of what the top ’10’ tenets:

1. Always OWN your information no matter where it is. This has to be the number one rule. Always own your own data. Make sure that wherever it gets created, stored, shared, etc.  that if it is your company’s information asset. Good providers will put that in writing in their terms of service.
2. If you don’t have good GRC today, what makes you think you will have good GRC practices in a VDC or Cloud?  Seriously – does anyone think that if they go to a cloud they are all of a sudden going to have these great new policies and processes? Can you inherit new ones that the provider has that improve your standard? Sure – but how will you know that if you didn’t come up with a standard in the first place?
3. Develop an information life-cycle for all information – cradle-to-grave. Information has a lifetime. Keep it too long and it gets you and your company in trouble. Either because it gets acquired by someone you don’t want to acquire it or demanded by a regulatory or legal entity that wants to get all the data they can going back forever if they can. Just like you can’t leave stacks of all printouts and correspondence around your office forever – you need to be diligent with your digital information. When it is created – set an expiration date, create an archive policy, and a purge date!
4. Less (information) is more. One of the bad habits of the past couple of decades is that we develop software and databases that collect and store a lot more data than we’ll ever need. Information is a powerful tool – but it can also be a liability. Collect what you need it will save you a lot of headaches and $$$ (minimally for storing and protecting) down the road.
5. Develop an Information Taxonomy. Back a few decades ago – enterprise development efforts had things called meta data dictionaries and information flow diagrams. Because a large enterprise has so many applications that not only collect new data but also reuse data collected earlier dependencies become critical for data accuracy reasons. For example when a new application is built that is customer facing – recollecting the same customer data each time they engage with your company is both frustrating for the customer as is the inherent probability of creating a nearly duplicate set of information. I said nearly duplicate for a reason – the customer may put the address in different the second time creating a second version of the data. So when another application needs it – which one is right? By creating a  taxonomy you can develop a methodology for single sourcing critical data, remove redundancies, and in this day and age – manage the regulatory and legal issues related to certain types of data.
6. Always know who your (data) handlers are. Let’s face it – systems in general let more and more information be seen and handled by more people. This raises the risk quotient considerably. When you leverage a cloud services provider – you need to take the time to find out their data handling procedures are. You are effectively increasing the risks and attack surfaces by extending your technology, people, and processes into the cloud. How do you mitigate this? One way is to go back again and read those terms of service. A good provider is going to say things like “our employees do not have direct access to your information nor are they allowed to engage with it without your express written permission” – when they want an affidavit attesting they are allowed to access it – they take their access to your data pretty seriously.
7. Cloud Security requirements regarding information should be at least as good as internal, recommend they are better. This is much like the GRC standards in-house in #1 – but has to be said. Make sure your security standards are met by the provider and ideally their standard is higher. We’ve developed some excellent tools in the course that help determine what this should look like.
8. Read, Comprehend, and Acknowledge all the information related cloud providers terms. Actually read them (terms of service, terms of use, service level agreements, security policy, privacy policy, retention policies, termination agreements, license agreements, etc.) print them to PDF’s and sit with your legal department/contracts groups in addition to your information security and privacy offices. On-demand or not – these agreements will define roles and responsibilities and things like what happens when you no longer want to use the service and now you have to get all your data back, or what kind of data does the provider keep about you as a customer, for how long, who do they share it with, etc.
9. Think about Transitivity! This one applies to both service levels and other items like 3rd parties. For service levels – always look at what each discreet service you are using has for an SLA and then think about what happens when you bundle services. For example when you combine a Virtual Machine service that is 99.95%, and a storage service that is 99.99% and a messaging service that is 0.00% – you get a combined service bundled that you can expect a 0.00% SLA. When it comes to other items of concern – make sure the provider has the same standard for their 3rd parties as they do for their employees. For example the provider uses a security contractor for their info-sec department. Do they do the same background and drug tests on the 3rd party’s as they do for their employee’s? Does the provider have the same standard as you do for your employee’s? See the transitivity issue here? Make sure the standard is as good as or better!
10. Evaluate your assets in terms of Asset Value. We spend a lot of time in the class talking about this one. take the time to come up with asset valuations that are going to go into the cloud. For example come up with a quick score that rates the asset as High/Medium/Low in value. Then make a policy decision that all High value assets either need special security provisions in the cloud or they just can’t be put in the cloud for now. This process helps prioritize the start of the process for assessing the cloud for your information assets and prioritizing the candidates but it is only the beginning.

This isn’t an exhaustive list – but is a good starting point for coming up with some good practices for building trust in the cloud and assurance for Information Handling. Want to learn more – then come take our EMC Proven Professional VDC & Cloud Architect Class!

/wayne

Privacy Assessments and their usefullness in the cloud, an empirical study

It is about a tad over a year when I started writing my dissertation proposal now I am embarking on the next part of the journey – the actual study. In the past year I’ve had the opportunity to author or co-author a couple of papers that are related to my dissertation study. The first one was a position paper about risk assessment in the

PIA Image from ENISA

cloud and how would it be accomplished as a service. The second one just got published in a special edition of IEEE Security & Privacy on cloud computing and is about cloud provider transparency.

These are related to the dissertation study in that they all look at aspects of how privacy risk can be assessed in cloud environments. The dissertation study will differ in that it will empirically test three different privacy assessments against a ‘reference application’ that would run in cloud environments. The reference application will contain data that is regulated or needs to be protected as it is considered private data. The objective of the study is determine how well the privacy assessments work in cloud environments. Does multi-tenancy have an impact on the outcome or does elasticity? Does one assessment versus another do a better job in cloud environments?

The study is not an exhaustive one because it has to be something I can finish in a reasonable amount of time (and finish is the key word here!). It is however unique based on my review of the literature. There does not appear to be a lot of empirical data when it comes to privacy in the research. I honestly couldn’t find anything published about privacy assessments other than Clarke’s work which provides some excellent background and perspective on privacy assessments and where they originated from (hint: environment impact). Breaches – yes – lots of good stuff, privacy assessments – no, not so much. 

Now I just have to sign up three to five cloud providers to allow me to do the study. A bunch of folks said “sure, when you are ready let us know” when I approached them before but now I need real commitments from cloud providers. If anyone can help me by putting me into contact with the decision makers on research at the CSPs or is interested in learning more – please feel free to send me a note or a tweet. The abstract can be found here: Dissertation Abstract and I’ll glad provide more details to the study if you would like to learn more.

/wayne

email: wayne.pauley at gmail.com   twitter: @wpauley

Should Teachers Friend Students?

I was reading the NH Union Leader when I came across this article about the need for the school system to caution teachers not to “friend” their students in Facebook or Twitter.

Facebook heads-up headed to teachers:

 “All school district employees are reminded that personal information posted on the Internet is not truly private as it creates a permanent record that may be retrieved and retained and thus any expectation of privacy may be unwarranted,” the proposed policy states. “Information posted on the Internet is routinely reviewed by potential employers and may impact future employment opportunities.”

No-Facebook for Teachers

I have a couple of problems with this first statement.. First of all – what an employee does with their personal information is – well their personal information. But, and there is a but needed here – public school teachers are public employee’s and should be guided by a code of ethics that holds them to a high standard. I would think this standard would include requirements on what is allowed in terms of types and modes of communications between students and teachers. I would think that this code would exist without any specific technical method for communication. So if a teacher only has a pen and paper or a landline based phone – there should be guidelines for what is acceptable and what is not acceptable. Ok – so now we have Facebook and Twitter and texting – so what? These should not have to have a new policy associated with them – the same guiding principles should apply.

The article continues with:

“The policy also prohibits teachers from inviting students to be “friends” on social networking sites or agreeing to student friend requests. They should not chat, text, e-mail or Instant Message with students “in an overly casual, unprofessional, inappropriate or offensive manner.”

Huh? Now the policy is going to thwart productive and useful interaction between students and teachers. What kind of message does this send to the students? Social networks are bad? The issue here is what is communicated and transparency. If a teacher wants to communicate with a student – then there needs to be guidelines that are based on a code of ethics that the teacher has to follow. Private conversations are allowed between students and teachers – so why not allow private communications using other methods? The teachers ethics must be held to a high standard and that has to go beyond the classroom. We must also continue to find ways for our children to grow up in a world where the rules are the rules and good behavior is good behavior. Digital information technologies are part of our children’s DNA – they are growing up as digital natives. We all have to learn to appreciate usefulness and capabilities of technology and also sustain the trust and control mechanisms that protect our students and the teachers. We must create an atmosphere of trust and the right to privacy.

I found another article on the same matter that mentioned that the school system had filters on its firewalls to stop the use of Facebook. Geeze do these people realize that 1 out of 2 Americans will have a smarthphone by Christmas 2011 and that the first apps that are built for the phone is Facebook, Twitter, and Texting? Who cares what the firewalls do?

Ironically the teachers handbook for the Nashua school system that has put this new policy forward has nothing about a code of ethics on its website or in the Teachers Handbook. Why not? Transparency seems like a good policy – especially when it comes to ethics.

 What do you think?

/wayne

Finally, almost published …

About 18 months ago I took a (premature) shot at publishing a paper on cloud … I was neither ready for the level required for the paper nor was the topic mature enough when I had started writing it. When I finally heard from the organization I submitted the article to I also almost gave up ever trying again … the whole process of submitting, waiting, etc. is really a trying process. The amount of friction involved likely drives many away from even bothering when there are so many other avenues with a much lower coefficient of friction.

For those who are prolific peer-reviewed researchers and writers my hat is off to you. With all the work work, school work, dissertation efforts, and errata activities I decided to give “published” writing a break.

In the past 2 months a funny thing happened – call it aligning the stars or something in the water – whatever it is I had a brainstorm for a paper, ran across a great venue for it, and my idea was accepted. I had blogged about and posted on other sites about cloud transparency so I thought why don’t I do the real research and empirically do a quick (small population study). The process forced me to analytically break down the notion of cloud service provider transparency, do the literature review, and come up with a workable scorecard. Then I studied six cloud providers to see how they fared based on the scorecard. The process all forced me to re-evaluate the scorecard. I also had a few friends help out – like Randy Bias at Cloudscaling who made a few suggestions on the scorecard.

The second event came about through someone sending me the link to a venue and saying to me – “hey Wayne – you should present at this”.  “This” happens to be this summers Usenix HotCloud conference. When I read the event structure and topics I knew I wanted to do something for the conference but … how do I do something that is related to my dissertation without spilling all the beans on what my study is about (this is a primal fear in researchers – for good reason – stolen work)? So I asked a colleague at work who I am so privileged to know Dr. Burton S. Kaliski, Jr. and who has so very graciously agreed to be on my dissertation committee. He suggested – why not take your thesis topic and we do something related as a position paper? So the scramble began and in two weeks we wrote a position paper on Risk Assessment as a Service in Cloud Environments … won’t hear if we got in or not for a few weeks. The whole process of working with such a knowledgable person who can write a paragraph faster than I can read one! He is amazing and so fluid with his thoughts. We took a years worth of white board discussions and came up with a closely related topic that has already provided me greater insight into what I have to clarify in my thesis process.

So now the fun begins – I wait and hopefully go from – almost published … to published. Either way the experience and learning was well worth it. Now back to my thesis …

/wayne

Updated May 7th:

We (Dr. Kaliski and I) got accepted into the Usenix HotCloud workshop on June 22. We have some minor edits and then I will post the paper. You can find the program for the day here which has sections on Performance/Power, Economics/Pricing, New Programming Models and Usage Scenario’s, and my favorite Security and Reliability.

Updated June 25th:

My second article got accepted by IEEE Privacy and Security. The article will appear soon online and be printed in a special edition on Cloud Computing this fall.

What hat do you wear in private?

I’ve been studying privacy for about three solid years now and have sat in graduate level classes, read some 300+ research papers, 100’s of blog postings/articles (thanks IAPP – the dailys are awesome). and own/read some 25+ books on privacy (checkout my library), and even follow some great minds in twitter (like @privprof!) ,- so this all totals up to hours and hours (north of 1500 hours) of thought after thought about privacy.

What strikes me as a point of interest is that 99.999% of the content seems to be about the user/consumer/citizen – the person. Not that this is a bad thing – because lets face it – most private information comes from people.  We have contemporary privacy scholars who focus on the legal aspects of privacy like Daniel Solove (if you haven’t read his book “Understanding Privacy” – I highly recommend it!). Software Engineering privacy experts like  Lorrie Cranor who has driven incredible changes in how software, user interfaces, and web tools gather and use privacy related information. Roger Clarke who has looked at privacy statements and privacy impact assessments in-depth. Or Herman Tavani who has shaped much of the theoretical basis for IT Ethics (he has published some excellent research on Privacy & Ethics) And I could go on and on with the list of really great minds.

Recently I have had a few discussions with folks who are privacy experts – in fact a few of them are world-renowned in the academic circles. When I bring up the fact that business has a privacy requirement too – let’s just say I usually get a pretty strong negative response to that. One person even suggested that maybe I’m just working for a business and not really doing research.

Let’s face it – particularly here in the U.S. companies have been very liberal with their controls of their customers (and even just prospects) information. Take the days of the 3×5 warranty card. How is it that a company that sold you a baby carriage needed to know your annual income or your age? All that they need to know (if they need to know anything) is the date it was purchased, where it was purchased, a serial number, and your address.

But … what if we thought about privacy a little bit different? What if we thought of it as if the corporation were a person. For example – a corporation has to worry about the data of their employees, customers, and their own “information”. Their own information could include protected things like intellectual property or more grey area things like temporal or tribal knowledge (e.g. current incentives given to sales to drive sales behavior against a competitor).

Also – has anyone every heard the phrase “it would be like pushing on a rope”. In other words if the discussion/argument/definition is one sided – how do you really move your position forward if there is nothing there to resist the progress? Benjamin Franklin said “Reading makes a full man, meditation a profound man, discourse a clear man.” How can the tension between man and corporation when it comes to privacy be one-sided? It seems valuable to research and understand the privacy privilege, violation, protections, perspective, and purpose from the corporate side of the coin seems to be not only valuable – but a requirement. How can we fully understand where the line needs to be drawn with regard to individual protections if the fight is one-sided?

H. Jeff Smith wrote in his book “Managing Privacy” that corporations only respond to privacy requirements when there is an external event (breach, lawsuit, regulation) – why not choose to find a different – proactive course? One which embraces the needs of the enterprise, assesses it against the needs and rights of the citizen – so that we can find the middle ground? Why constrain our forward movement in the realm of privacy to just the outcome of complaint or the past tense of lost privacy?

And no, my research is not for the corporation or by the corporation. My personal opinion is that corporate America does have too many liberties with our private information and we’re not adequately protected. However my opinion doesn’t count when it comes to research and one of the most interesting ways to study a problem is to reverse it.

/wayne