IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Blair Reeves

The Future of Privacy
Blair Reeves
Product Manager, IBM Digital Analytics
Aurelie Pols
Chief Visionary Officer, Mind Your Privacy
@BlairReeves
@AureliePols

@BlairReeves
Privacy is Perception
… but do another.
66% of Americans say
they do not want to
receive targeted ads
53% of Americans want
websites they visit to
offer discounts tailored
to their interests
64% of Americans say they are less
likely to vote for a political candidate
who buys information about their
online behavior
92% of U.S. internet users say
they worry about privacy online
Behaviorally-targeted
ads have 240%+ higher
conversion rates
80% of internet users do
not “always” read
privacy policies, and
only half bother logging
out

Privacy is Perception
What

informa,on

am
I
giving

away?
Do
I

know?

Do
I
care?

User-supplied:
•  Name
•  Date of birth
•  Sex
•  Location (City, State)
Inferred:
•  Mobile device type
•  Login frequency
•  Clickstream
•  Browsing history
•  Purchase history
•  Social connections
•  Etc.
@BlairReeves

Consumers rely more and more on free
cloud services
@BlairReeves
0
200,000,000
400,000,000
600,000,000
800,000,000
1,000,000,000
1,200,000,000
1,400,000,000
Search Gmail Google Plus Drive
Google Services MAUs
Extrapolated
Confirmed by Google

What the future looks like
@BlairReeves

@BlairReeves
More and more of our lives
will be lived digitally
Cloud ● Mobile ● Connected
Citizens ● Consumers ● Humans

About me
Aurélie
Pols

Chief
Visionary
Oﬃcer

Mind
Your
Privacy

•  Grew up in the Netherlands, Dutch passport
•  French mother tongue
•  Most of my friends are bilingual at least
•  Have Polish & Russian origins
•  Set-up my 1st start-up in Belgium in 2003
•  Sold it to Digitas LBi (Publicis), in 2008
•  Moved to Spain in 2009
•  Created 2 other start-ups in Spain in 2012
Mind Your Group, Putting Your Data to Work
Mind Your Privacy, Data Science Protected
Yes, a “law firm” but we prefer to say
a bunch of Data Scientists working with
a bunch of Lawyers
@AureliePols

Context: Privacy tri-partite
Joint effort by:
1.  Governments &/or international
Associations => legislation,
guidelines, …
2.  Citizens/voters/consumers
3.  Businesses
Each party wanting to defend:
o  Personal Data Protection & the
Rule of Law through respect of
Fundamental Rights
vs.
o  Profits & hopefully
Sustainability
Governments
Citizens/
voters/
consumers
OUR
GLOBAL
SOCIETY
Businesses
Analytics vendors / Agencies / Data Users
@AureliePols

About Mind Your Privacy
 Boutique consultancy firm providing security
consultancy services and legal Privacy advice
 Our typical international clients manage sensitive
data within an international landscape
 Pluricultural and multi-skilled profiles - legal,
data scientists and technical
 Providing complete solutions to complex data
and privacy issues
@AureliePols

This presentation is for Data Users
Source: http://ochuko.files.wordpress.com/2010/04/sides-of-a-coin.jpg
@AureliePols

Privacy, the Word
From our Wikipedia friends:
From Latin: privatus "separated from the rest, deprived of something, esp. office,
participation in the government", from privo "to deprive”
The ability of an individual or group to seclude themselves or information about
themselves and thereby express themselves selectively.
The boundaries and content of what is considered private differ among
cultures and individuals, but share common themes.
When something is private to a person, it usually means there is something to
them inherently special or sensitive.
The domain of privacy partially overlaps security, including for instance the
concepts of appropriate use, as well as protection of information.
Privacy may also take the form of bodily integrity.
Source: https://en.wikipedia.org/wiki/Privacy
@AureliePols

Privacy, nothing to hide?
“If you have something that you don’t want
anyone to know, maybe you shouldn’t be
doing it in the first place.”
Eric Schmidt, 2009
https://www.youtube.com/watch?
v=A6e7wfDHzew
Tip: Follow Daniel Solove on LindedIn!
@AureliePols

An Anglo-Saxon term?
Source: http://web.mit.edu/bigdata-priv/
http://www.whitehouse.gov/sites/default/files/docs/
big_data_privacy_report_may_1_2014.pdf
@AureliePols

Blame?
Source: http://mobile.nytimes.com/blogs/bits/2014/05/05/white-house-tech-advisers-online-
privacy-is-a-market-failure/
@AureliePols

Is this complicated?
Source: https://www.forrestertools.com/heatmap/
@AureliePols

Regulatory law
“Every country is a little different.
You run into different regulatory regimes and you need to
make sure you have the right tools so that people can
implement the right policies they are required to by
law…
They aren’t that different”
Source: Bloomberg Singapore Sessions
April 23rd 2014
http://www.bloomberg.com/video/big-data-
big-results-singapore-sessions-4-23-
kHN5zrGbR_Wq6hbmV9~aXQ.html
@AureliePols

A global perspective
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actions Fines
(by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the
visitor/prospect/consumer/citizen
Patchwork of sector based
legislations: HIPPA,
COPPA, VPPA, …
Over-arching EU Directives &
Regulations
PII: varies per state Risk levels: low, medium, high,
extremely high
@AureliePols

Democracy & the rule of law
US & UK EU APEC
law
influenced
Class actions Fines
Privacy Personal Data Protection
(PDP)
COPPA, VPPA, …
Regulations
PII: varies per state Risk levels: low, medium, high,
extremely high
@AureliePols

Data Protection
In light of fuzzy interpretations of Privacy, could we
agree upon
• Thinking of it as data protection
• Protecting the data we are entrusted with
• While respecting the Right to “Privacy”
• Taking into consideration information security
measures
@AureliePols

Democracy & the rule of law
US & UK EU APEC
law
influenced
Class actions Fines
COPPA, VPPA, …
Regulations
PII: varies per
state
Risk levels: low, medium,
high, extremely high
@AureliePols

PII: ah but we don’t collect it!
Medical information as PII
California
Arkansas
Missouri
New Hampshire
North Dakota
Texas
Virginia
Financial information as PII
Alaska North Carolina
Iowa North Dakota
Kansas Oregon
Massachusetts South Carolina
Missouri Vermont
Nevada Wisconsin
New York* Wyoming
Passwords as PII
Georgia
Maine
Nebraska
Biometric information as PII
Iowa
Nebraska
North Carolina
Wisconsin
Source: information based on current
ongoing analysis (partial results)

@AureliePols

So what is considered PII?
Personal Information (based on the definition commonly used by most US states)
i Name, such as full name, maiden name, mother‘s maiden name, or alias
ii Personal identification number, such as social security number (SSN),
passport number, driver‘s license number, account and credit card number
iii Address information, such as street address or email address
iv Asset information, such as Internet Protocol (IP) or Media Access Control
(MAC)
v Telephone numbers, including mobile, business, and personal numbers.
Information identifying personally owned property, such as vehicle registration
number or title number and related information
Source: information based on current
ongoing analysis (partial results)

@AureliePols

If you collect PII… then
US & UK EU APEC
law
influenced
Class actions Fines
Business focused Citizen focused
Patchwork of
sector based
legislations:
HIPPA, COPPA,
VPPA, …
Regulations
PII: varies per
state
Risk levels: low, medium,
high, extremely high
@AureliePols

PII & legislation questions
•  Who knows their Chief Privacy Officer?
According to the DMA (US), CMOs should abide to
an average # of 300 pieces of legislation
•  Is PII really PII?
Zip code + gender + date of birth can uniquely
identify 87% of the US population
Source: Microsoft Latanya Sweeney (2000)
http://dataprivacylab.org/projects/identifiability/paper1.pdf
@AureliePols

PII vs. Risk levels
Low
Medium
(profiling)
High
(sensitive)
Risk
level
Data type
Information Security Measures
Extremely high
(profiling of sensitive data)
PII
@AureliePols

Data lifecycles
Analytics => Follow the Money
Information Security & Compliance => Follow the
Data
@AureliePols

The Privacy framework 1
User consent
Fair & Legal
process: FIPPs
Information for approved
use
Data diving analysis /
Big Data
New business
opportunity through
data
Purpose
@AureliePols

The Privacy framework 2
User consent
Fair & Legal
process: FIPPs
Information for approved
use
Data diving analysis /
Big Data
New business
opportunity through
data
Purpose
@AureliePols

Fair Information Practice Principles - FIPPs
Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg
@AureliePols

Data collection
•  Purpose – Consent
o  Reason for data collection:
•  Website improvement, better User Experience
•  Marketing communication
•  Opt-in? Opt-out? Double opt-in?
o  Depends upon:
•  Type of data: PII, sensitive data
•  Type of sector: financial, health, …
•  Geography: US vs. EU vs. ???
@AureliePols

Examples: US vs. Spain
US: no purpose,
no consent
Spain: consent,
purpose, opt-in & opt-
out
@AureliePols

Trust & creepiness
Consent is about a reasonable expectation of the use of data
o  There’s a fine line
between
feeling charmed
vs.
feeling invaded
o  Create win-win situations:
•  Customers give company information
•  Customers get better service/value for money
@AureliePols

Consent & Trust for Telcos
Slide borrowed from Stephen John Deadman fromVodafone Group Services Limited, IAPP congress Brussels,
November 2013

@AureliePols

Typical personal data misconceptions
Very often present in technology companies
o  We do not identify the user while using the data, so we have no
issues with Privacy law
o  We only use the serial # of the users device, so the data is
anonymous and we have no issues with Privacy laws
o  We encrypt the data so we are no longer using/sending/receiving
personal data
o  We use hashes to replace all serial #, so the data is now
anonymous and we have no issues with Privacy laws
o  We anonymize the data, so we are not using personal data
o  We can use the user’s data for anything we want, as long as we
keep the data to ourselves
o  Look: big name companies are doing the same, so we are ok
Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November 2013

@AureliePols

EU fines?
Spain: responsible for 80% of data protection fines in the EU
Source: http://i0.kym-cdn.com/photos/
images/newsfeed/000/242/381/63a.jpg

Source: http://www.mindyourprivacy.com/
download/privacy-infographic.pdf

@AureliePols

Security (technical)
Data Collection
Processes
Resources
security
@AureliePols

Who has access?
Source: Mind Your Privacy seal, specific audit for analytics tools & data agencies
@AureliePols

Supplier reviews - Cloud
Typical international company set-up
Cloud:
•  SaaS
•  PaaS
•  IaaS
@AureliePols

Data flows = shared responsibility
Source: http://cdn2-b.examiner.com/sites/default/ﬁles/styles/image_content_width/
hash/6e/54/6e54dfaa644b1fe589e4462b6f2a20b7.jpeg?itok=OIAVYOR1

@AureliePols

As secure as the weakest link
Source: http://www.lebsontech.com/images/ChainLight.jpg
@AureliePols

Balancing Risks & Benefits
Risks
  SaaS PIAs: Privacy
Impact Assessment
  Security evaluation of
your own information
  Nature of your own
data
Benefits
 Price
 Transfer of
responsibility?
 Availability (BYOD,
strike, natural
disaster, …)
Source: http://www.labeshops.com/image/cache/data/summitcollection/7918l-
lady-justice-3-feet-statue-800x800.jpg

@AureliePols

Compliance vs. Risk Assessments
•  Achieving 100% compliance is a chimera
o  Compliance is a journey, not a destination
o  Level of required compliance linked to
•  Sector
•  Personal internal management
•  Company risk profile
•  Risk is a moving target
o  Risk of being fined
o  Risk of being breached
o  Brand perception => subjective
@AureliePols

A simple example
PII viewer for Google Analytics
http://davidsimpson.me/pii-viewer-for-google-analytics/
Customer
DBData Collection
Data Visualization
  Privacy Policy
  Hosting
  Security
  Terms of Use
  Access
  Consent
  FIPPs
  Data
retention
period
  (Hosting)
  Security
  Access
What data is Chrome sending
Is your company accountable
@AureliePols

Other ex.: BBVA Commerce 360
26M transactions/
day
25% of
marketshare for
Spain
Source: http://
www.slideshare.net/cibbva/
juan-carlos-plaza-explica-
los-proyectos-sobre-big-
data-de-bbva
@AureliePols

Data transformations
  Consent & purpose
  Through which pipes?
  Data (transfer) security?
  Data access?
  …
From granular to aggregated
@AureliePols

What to do?
1.  Know your information structure (cloud)
o  Can you exactly draw the Cloud supplier slide?
2.  Cloud inventory (PIA)
o  Provider (& sub-contractors)
o  Location
•  Cloud service HQ
•  Servers
•  Applicable law: our friend Snowden
•  Physical location: earthquakes?
•  Any incidents to report?
•  In-house control access (risk)
•  Terms & Conditions
•  Information Security measures
•  Related to Privacy
@AureliePols

What to do?
3.  Know your Data structure: data inventory
(cloud)
o  (Do you know which data can be found where)?
o  Have you reviewed your information security measures?
o  What happens in case of a breach?
4.  Authorization required?
o  Approval International Data Transfers (IDT)
o  Safe Harbor
o  Binding Corporate Rules (BCR)
o  User consent
@AureliePols

Moving to the cloud
1.  List your departments
2.  What type of data needs to be moved?
3.  What are your data risk levels?
o  Low / Medium / High / Extremely High
4.  What do you need for compliance?
Have a list of questions ready
to ask your cloud provider
except for the price!
@AureliePols

Note: slides blurred for confidentiality reasons
@AureliePols

MYP Information Security Framework
@AureliePols

MYP Services
For Data Users
  Risk Assessment to define maturity model (COBIT) and roadmap
  Define processes to establish proper security measures and create
policies to structure these process
  Audit the level of compliance of security measures that are in place
  Train staff to align them with security plan while reducing the risk of
suffering a data breach
  Define KPIs to adequately deploy a data governance program
@AureliePols

MYP Services
Analytics SaaS Providers
  Advice during the procurement process to define the best provider in
terms of data security management and privacy compliance
  Audit providers´ management of data and privacy
For Analytics vendors & agencies
 PrivacyGreen Seal

•  Visit the Smarter Commerce demos
in the Solutions Center (East/Central Hall of TCC)
•  Schedule an Executive One-on-One
(Grand Ballroom of Marriott)
•  Spend time with a subject matter expert at Meet the Experts
(Solution Center)
•  Set up your Twitter account at the Social Media Command Center
(Rotunda of TCC)
•  Sign up to be a reference at our Client Reference Lounge (Rooms 1- 2
of TCC)
•  Participate in our Hands-on Labs (Rooms 7-8 of TCC) and Certification
Testing (Room 9 of TCC)
© 2014 IBM Corporation 59
Find out more…
Check Summit Conference Connect from your phone, computer,
or on-site kiosks for details on these programs and more.

© IBM Corporation 2014. All Rights Reserved.
IBM, the IBM logo, ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “Copyright and trademark
information” at www.ibm.com/legal/copytrade.shtml.
© 2014 IBM Corporation 60
Copyright and Trademarks

IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Blair Reeves

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Blair Reeves

Similar to IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Blair Reeves (20)

More from FLUZO

More from FLUZO (11)

Recently uploaded

Recently uploaded (20)

IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Blair Reeves