What every product manager needs to know about online privacy
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

What every product manager needs to know about online privacy

on

  • 1,298 views

This seminar will introduce the issue and describe the potential for new privacy laws in the US and in the EU that could affect the business model of social medial/Web 2.0/mobile app vendors.

This seminar will introduce the issue and describe the potential for new privacy laws in the US and in the EU that could affect the business model of social medial/Web 2.0/mobile app vendors.

Statistics

Views

Total Views
1,298
Views on SlideShare
1,250
Embed Views
48

Actions

Likes
0
Downloads
16
Comments
0

1 Embed 48

http://www.productcampnyc.org 48

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The National Do Not Call registry was established 2003. And the FTC periodically announces enforcement actions.
  • Same year as FTC Do Not Call Registry. Focus was mainly ecommerce sites.
  • Not picking on Facebook. Could have done similar for Google
  • Higher than only the airlines and cable TV services (66).
  • Higher than only the airlines and cable TV services (66).
  • Why Washington Post, which is not exactly a tech center newspaper? Why not the New York Times, Wall Street Journal, or San Jose Mercury-News, any of which would be a more logical place? Because the audience for this message was in Congress and the FTC, not the general public.
  • Why Washington Post, which is not exactly a tech center newspaper? Why not the New York Times, Wall Street Journal, or San Jose Mercury-News, any of which would be a more logical place? Because the audience for this message was in Congress and the FTC, not the general public.
  • August, 2010
  • Focus on social media web 2.0
  • Of special concern to people who are being stalked or harassed
  • Embarrassing for Apple and AT&T
  • Higher than only the airlines and cable TV services (66).

What every product manager needs to know about online privacy Presentation Transcript

  • 1. What Every Product ManagerNeeds To Know About Online Privacy Protecting Your Brand, Revenue, and Business Model Phil BurtonPrincipal Consultant and Trainer, 280 Group Product Camp New York, Sept. 17, 2011 ©2011 280 Group LLC. All rights reserved.
  • 2. Can Behavioral Targeting Survive Privacy Worries?• Targeting people based on their tracked online activities• Privacy advocates concerned about ways advertisers gathering data• BT spending growing 20% per year, could surpass search ad revenues by 2015• SF Conference on Behavioral Marketing, July, 2011• “We don’t need a law to govern • http://www.forbes.com/sites/roberthof/201 1/07/20/can-behavioral-targeting-survive- our industry,” speaker says. “It privacy-worries/ will hold back innovation.” Page 2 ©2011 280 Group LLC. All rights reserved.
  • 3. Why is Online Privacy Important?• Lack of effective user privacy can affect revenues and damage your business model Loss of trust and reputation Brand damage  Decreases in site visitors  Lower revenue• Real and growing risk of increased government regulation Limit revenue opportunities Impact business model Limit opportunities for acquisition Page 3 ©2011 280 Group LLC. All rights reserved.
  • 4. Focus of this presentation• User online privacy issues – Potential business impacts – Web 2.0 – Social Media – Mobile Apps• Not – Consumer or parental guide to safe online activities – Online censorship in China, other repressive govts. – WikiLeaks or “hacktivism” in general – Overall issue of online security and hacking – Technical presentation on website security – Phone hacking Page 4 ©2011 280 Group LLC. All rights reserved.
  • 5. Agenda• Why is user privacy an emerging concern? – recent privacy issues• Government regulation: precedents and potential new laws• Public concerns• Industry responses• Causes of lack of user privacy• Product manager responsibilities• Takeaway ideas• What is the 280 Group? Page 5 ©2011 280 Group LLC. All rights reserved.
  • 6. Sony - Three Data Breaches• Three separate data breaches in April, 2011 – PlayStation Network – Qriocity music and video service – Sony Online Entertainment – One of largest data breaches in US history – One breach not discovered until May 3• Over 100 million accounts affected: customer name, address, email account, DOB, gender and phone number, login name, “hashed” password, encrypted credit card number Page 6 ©2011 280 Group LLC. All rights reserved.
  • 7. Sony - Three Data Breaches• Analysts estimate costs at $170 M to $1 B – “deeper damage to brand image” could affect long-term product plans• Share price fell 55% from April to September• Service offline for 11 weeks• Class action lawsuit filed August 6, on behalf of all US subscribers – Alleges Sony violated Federal Electronics Communications Privacy Act, negligence, breach of fiduciary duty, seeks damages, etc. Page 7 ©2011 280 Group LLC. All rights reserved.
  • 8. Apple - iPhone Location Tracking• April 20, researchers disclose Apple collecting iPhone location data since 2010 launch of iOS 4, stored in unencrypted file – Congressman Ed Markey, co-chair of House Bipartisan Privacy Caucus, sent letter to Apple CEO Steve Jobs• Apple sued April 21 for privacy invasion and computer fraud by two FL customers• Apple‟s response, April 27, claims data collected to improve location-based services, cannot track individual users• Rep. Jay Inslee of Washington said on April 27 that Federal Trade Commission investigation needed• Senate held two subcommittee hearings in April• July 14, Apple pays $945 to settle iPhone tracking suit in Korea Page 8 ©2011 280 Group LLC. All rights reserved.
  • 9. Facebook – Picture Tagging and Facial Recognition• Manual picture tagging possible without opt-in permission from other people• Facial recognition (June, 2011) feature added suggestions for names – Facebook announced users could disable feature• European reaction was very negative, starts probe immediately• Negative reaction on US blogs – “Unfortunately, once again, Facebook seems to be sharing personal information by default.” – nakedsecurity.sophos.com – “Facebook is officially getting super-creepy. .. the end of privacy as we know it” - http://www.pcworld.com/article/229742/why_facebooks_facial_recognition_is_creepy.html• Divorce lawyers love this feature Page 9 ©2011 280 Group LLC. All rights reserved.
  • 10. Agenda• Why is user privacy an emerging concern? – recent privacy issues• Government regulation: precedents and potential new laws• Public concerns• Industry responses• Causes of lack of user privacy• Product manager responsibilities• Takeaway ideas• What is the 280 Group? Page 10 ©2011 280 Group LLC. All rights reserved.
  • 11. Is This the Future? Page 11 ©2011 280 Group LLC. All rights reserved.
  • 12. A Legal Precedent for User Privacy Legislation• State privacy laws - California SB 1386 – Effective July 1, 2003 – Requires an agency, person or business that conducts business in California …to disclose any breach of security (to any resident). – Similar laws now in force in 46 states in US• What would be the impact if these laws were extended to online privacy issues? Page 12 ©2011 280 Group LLC. All rights reserved.
  • 13. HIPAA (1986) and HITECH(2009)• Health Insurance Portability and Accountability Act (HIPAA) – Mandates patient medical record privacy – No enforcement mechanism• Health Information Technology for Economic and Clinical Health Act (HITECH) – Creates enforcement mechanisms for HIPAA Page 13 ©2011 280 Group LLC. All rights reserved.
  • 14. Federal Trade Commission Privacy Concerns• December, 2010, FTC Staff Issues Privacy Report• Framework for Consumers, Businesses, and Policymakers – Endorses “Do Not Track” browser mechanism to Facilitate Consumer Choice About Online Tracking• FTC has ability to implement new rules without Congressional approval Page 14 ©2011 280 Group LLC. All rights reserved.
  • 15. Google Settles with FTC Over Buzz (March, 2011)• US Federal Trade Commission charged Google with violations of own privacy policy, with Buzz social network service – Gmail account info used without user OK• FTC requires Google to get user OK before sharing info• 20 years of audits, fines• “… legal order … further than voluntary commitment,” – deputy dir, FTC Bureau of Consumer Protection – First such action – “broad consequences” expected Page 15 ©2011 280 Group LLC. All rights reserved.
  • 16. Twitter Settles Federal Trade Commission Charges (June, 2010)• FTC charged Twitter deceived consumers and put privacy at risk• First case by FTC against social media site• Complaint charged poor security allowed hackers to gain admin control, send phony tweets• Twitter barred for 20 years from misleading consumers about security, privacy, confidentiality, also must create comprehensive security program, outside auditing Page 16 ©2011 280 Group LLC. All rights reserved.
  • 17. 2011 Proposed Congressional Legislation• Series of bills introduced by senators and representatives, most recently Sept. 8 – Consumer online privacy – Use of geolocation by law enforcement agencies – Broader issue of data breach – supplant state laws with uniform national standard• Too numerous to list, discuss in any detail• Issues and differences along party lines around definition of private data, opt-in vs. opt-out, consumer right to sue, FTC powers Page 17 ©2011 280 Group LLC. All rights reserved.
  • 18. FTC Report on Children’s Privacy• Sept. 16 (Friday!) FTC proposed changes to Children‟s Online Privacy Protection Act (COPPA) – Requires parental permission for company to collect any personal information for child under 13 – Changes include locaiton data, use of cookies for purpose of targeted advertising – Prompted by “explosion” in children‟s use of mobile devices, online social media, interactive gaming Page 18 ©2011 280 Group LLC. All rights reserved.
  • 19. European Union – Right to be Forgotten• March, 2011, European Union confirmed that it will enshrine right to be forgotten in law.• Justice Commissioner Vivian Reding warned Facebook in 2010 that she was dissatisfied with changes to the social networks privacy settings.• In speech to European parliament, Ms Reding said that, "A US-based social network company that has millions of active users in Europe needs to comply with EU rules." Page 19 ©2011 280 Group LLC. All rights reserved.
  • 20. Agenda• Why is user privacy an emerging concern? – recent privacy issues• Government regulation: precedents and potential new laws• Public concerns• Industry responses• Causes of lack of user privacy• Product manager responsibilities• Takeaway ideas• What is the 280 Group? Page 20 ©2011 280 Group LLC. All rights reserved.
  • 21. “Forget Email... Socials the New Spam Vector”• “… this shift in spammer strategy from email to social networking sites tracks perfectly with users online behavior”• “spammers are counting on … our collective naïveté.” Page 21 ©2011 280 Group LLC. All rights reserved.
  • 22. Damage to Facebook Brand• Why Facebook’s ―private‖ messages are a joke, Jesse Stanchak on May 6, 2010, http://smartblogs.com/socialmedia/2010/05/06/why- facebooks-private-messages-are-a-joke/• ACLU Weighs in on Facebook’s Privacy Issues, Rex Gradeless, May 13, 2010, http://socialmedialawstudent.com/featured/aclu- weighs-in-on-facebooks-privacy-issues/• 6 Alternatives to Facebook, Itamar Kestenbaum, May 20, 2010, http://www.socialmediatoday.com/SMC/199443 … and many, many more … Page 22 ©2011 280 Group LLC. All rights reserved.
  • 23. Consumers Reports Takes Notice• June, 2010 Magazine – Two out of three online U.S. households use social networks such as Facebook and MySpace, nearly twice as many as a year ago. – But “millions … put themselves and their families at risk by exposing very sensitive personal information,” … national survey of 2,000 online households conducted in January.• March 23, 2011 email on “Zombie cookies” – Describes privacy threat from cookies “…bits of code placed on your computer by companies that track you while youre on the Internet — they come back even after you have carefully deleted them. And thats not illegal.” – Invites reader to sign online petition Page 23 ©2011 280 Group LLC. All rights reserved.
  • 24. ACLU Cites “Social Insecurity”"Were just at the beginning (italics added foremphasis) of seeing what the implications are for somuch information being posted on social networks,"Nicole Ozer, the technology and civil liberties policydirector .. ACLU, N Cal. Page 24 ©2011 280 Group LLC. All rights reserved.
  • 25. Brand Damage: Poor Customer Sat with Social Media websites• ForeSee Results, Annual E-Business Report for the American Customer Satisfaction Index (ACSI), July 19, 2011– http://www.foreseeresults.com/research-white- papers/_downloads/foresee-results-annual-e-business-report- 2011.pdf• “…interviews with approx. 70,000 customers …to measure satisfaction with more than 200 companies in 44 industries and 10 economic sectors”• “Customer satisfaction, as measured using the American Customer Satisfaction Index (ACSI), is a proven predictor of future financial performance.” Page 25 ©2011 280 Group LLC. All rights reserved.
  • 26. Brand Damage: Poor Customer Sat with Social Media websites• Key finding: “Satisfaction with social media sites remains low, yet stable, with an unchanged aggregate score of 70. …while Facebook remains the lowet-scoring … at 66, despite making some small improvements”• “… social media is among the lowest-scoring [across 47 industries] measured by the ACSI. Only airlines, cable television, and print newspapers manage to satisfy customers less than social media websites.” – Threat from Google + ? Page 26 ©2011 280 Group LLC. All rights reserved.
  • 27. Agenda• Why is user privacy an emerging concern? – recent privacy issues• Government regulation: precedents and potential new laws• Public concerns• Industry responses• Causes of lack of user privacy• Product manager responsibilities• Takeaway ideas• What is the 280 Group? Page 27 ©2011 280 Group LLC. All rights reserved.
  • 28. Mark Zuckerberg Doesn’t Value Privacy• January 9, 2010• April 23, 2010 Page 28 ©2011 280 Group LLC. All rights reserved.
  • 29. Zuckerberg Admits Mistakes About Privacy• May 24, 2010 Page 29 ©2011 280 Group LLC. All rights reserved.
  • 30. Zuckerberg Public Letter Really Targets Federal Government• Zuckerberg letter to blogger and Op-Ed piece in Wash. Post, May 24, 2010 -- http://www.washingtonpost.com/wp- dyn/content/article/2010/05/23/AR2010052303828.html – “There needs to be a simpler way to control your information," he wrote. "In the coming weeks, we will add privacy controls that are much simpler to use. We will also give you an easy way to turn off all third-party services.” – First response to “furor over Facebooks user privacy moves that left the site with a public relations problem and fighting to defend its reputation.” Page 30 ©2011 280 Group LLC. All rights reserved.
  • 31. Tone Deaf Eric Schmidt calls for Young Adult “Witness Protection Program”• “[Schmidt ]predicts, apparently seriously, that every young person one day will be entitled automatically to change his or her name on reaching adulthood in order to disown youthful hijinks stored on their friends social media sites.”• Doesn’t Google have any responsibility here? Page 31 ©2011 280 Group LLC. All rights reserved.
  • 32. Apple’s Very Different User Privacy Policy• Steve Jobs on user privacy: – “ … different view … than some of our colleagues in the Valley. We take privacy very seriously.” – “Privacy means people know what they‟re signing up for. In plain English. … repeatedly” – “Let them know precisely what you‟re going to do with their data.” – Wall Street Journal, Technology, Kara Swisher and Walt Mossberg, June 7, 2010, p. R3. Page 32 ©2011 280 Group LLC. All rights reserved.
  • 33. “Do Not Track” Option in FireFox 4 Browser• Released March 23• Builds on “Privacy Mode” in FireFox, Internet Explorer• Depends on website voluntary compliance• Also in IE 9 Page 33 ©2011 280 Group LLC. All rights reserved.
  • 34. Causes of Privacy Threats• Corporate policy – Business model monetizes private data – Complete indifference to privacy issues• Poor operations and programming practices – Badly designed, buggy software and configurations – Poorly secured websites allow professional criminals to steal user private data • “contribute” content with “malware” • forcefully plant malware • Hijack user accounts to send spam and steal private data• Lack of user education – Users don‟t know how or why to protect private data – “Social Engineering” tricks users Page 34 ©2011 280 Group LLC. All rights reserved.
  • 35. Agenda• Why is user privacy an emerging concern? – recent privacy issues• Government regulation: precedents and potential new laws• Public concerns• Industry responses• Causes of lack of user privacy• Product manager responsibilities• Takeaway ideas• What is the 280 Group? Page 35 ©2011 280 Group LLC. All rights reserved.
  • 36. Define Market Requirements• Well-researched Market Requirements should cover both stated and unstated (latent) needs – Protect your company‟s brand and revenue – Perhaps protect your career• Privacy/Security requirements not called out because they are “universally understood” or perhaps not understood Page 36 ©2011 280 Group LLC. All rights reserved.
  • 37. Who Understands Privacy (Security) Issues?• Almost all end users (business, consumer) do not begin to understand privacy issues• Most Line of Business owners prioritize time- to-market, or won‟t invest in effective security• Many software developers do not know how to write secure code• IT often deploys insecure websites, networks• Most product managers not aware Page 37 ©2011 280 Group LLC. All rights reserved.
  • 38. Define Market Requirements• Privacy Policy – User privacy respected by web site owner company and third parties, including advertisers – User data protected from unauthorized access by individuals and companies – Simplify data sharing options and default to NONE• User Education – Educate about managing their data – Educate about privacy implications of sharing data – Provide effective and timely advice and warnings about social engineering attacks – Provide effective help Page 38 ©2011 280 Group LLC. All rights reserved.
  • 39. Influence Company Policies• Programing, Administration and Operations – Test all changes to prevent exposure of user data – Ensure that user posted content is safe – Detect and remove malware planted by hackers – Work with security vendors on emerging threats – Notify users proactively of security breaches, even if not required by law – Include partners in security programs – Maintain ongoing programs and provide sufficient resources, including outside help Page 39 ©2011 280 Group LLC. All rights reserved.
  • 40. Agenda• Why is user privacy an emerging concern? – recent privacy issues• Government regulation: precedents and potential new laws• Public concerns• Industry responses• Causes of lack of user privacy• Product manager responsibilities• Takeaway ideas• What is the 280 Group? Page 40 ©2011 280 Group LLC. All rights reserved.
  • 41. Takeaway Ideas• You must understand the business consequences of poor user privacy – It‟s only your company‟s revenue, business model and maybe your career• As the product champion, you must articulate the issues, document the requirements, and influence overall policies in your company• You do not have to be security expert Page 41 ©2011 280 Group LLC. All rights reserved.
  • 42. Closure• Questions?• Contact me later – phil@280group.com – (650) 766 9970 – http://tungle.me/philburton to set up an appointment Page 42 ©2011 280 Group LLC. All rights reserved.
  • 43. Agenda• Why is user privacy an emerging concern? – recent privacy issues• Government regulation: precedents and potential new laws• Public concerns• Industry responses• Causes of lack of user privacy• Product manager responsibilities• Takeaway ideas• What is the 280 Group? Page 43 ©2011 280 Group LLC. All rights reserved.
  • 44. 280 Group• Based in Campbell, California• Exclusive focus on product management and product marketing – Consulting & Contractors – Toolkits & PM Office™ (Product Manager‟s, Roadmaps, Launches, Beta, Reviews) – Training: public & private – Certifications Page 44 ©2011 280 Group LLC. All rights reserved.
  • 45. Why are we the “280 Group?” Page 45 ©2011 280 Group LLC. All rights reserved.
  • 46. 280 Group Resources• Free templates• White papers• Product Management Manifesto• 280 Group Product Management 2.0 Newsletter• 280 LinkedIn Group• PM job hunting/listings• Product Management 2.0 Blog• 280 Group Press books Go to www.280group.com in the ―Resources‖ section. Page 46 ©2011 280 Group LLC. All rights reserved.
  • 47. ADDITIONAL BACKGROUNDAND EXAMPLES OFPRIVACY LACK 47 ©2011 280 Group LLC. All rights reserved.
  • 48. California SB 242 User Opt-In• Bill failed to pass, June, 2011, due to opposition from industry – Facebook, Google, Twitter, Skype, Match.com, eH armony, Yahoo, others – Opposition claimed law would damage California businesses• New York Times Op-Ed piece referred to “Big Data,” as lobby similar to “Big Oil” Page 48 ©2011 280 Group LLC. All rights reserved.
  • 49. Poorly Protected Website Infected with “Drive-By” Malware• Hackers successfully penetrate well- known site – Plant “Drive-by downloads” on poorly protected sites• safeweb.norton.com /buzz Page 49 ©2011 280 Group LLC. All rights reserved.
  • 50. The Not-Private Blog• The “niece‟s blog” – The aunt periodically did Google search on nieces and nephews to keep up with their activities – College freshman niece wrote one blog for parents and relatives – Wrote second blog for just for friends • Password protected • Drugs, sex, wild parties, disparaging comments on family • Google found it with normal “spidering” Page 50 ©2011 280 Group LLC. All rights reserved.
  • 51. Facebook Policy Causes Privacy Threats• “Your Privacy Isn‟t So Private” – San Jose Mercury-News, Tech Files column, May 3, 2010 – Facebook is “cavalier” with privacy of its users – “Alarm bells went off in my head over the privacy issues” – “Astonishing how much information Facebook now considers „public‟ and is sharing with its marketing partners” Page 51 ©2011 280 Group LLC. All rights reserved.
  • 52. Google and Facebook “Blurring the Line”• “A Blurring Line: Private and Public” – NY Times, Bits column, March 15, 2010 – Google Buzz service “complete disaster” by linking email accounts to status updates on social networks – Facebook makes members information public by default – Issue is “broader muddying of the line between what is private and what is public online.” Page 52 ©2011 280 Group LLC. All rights reserved.
  • 53. Facebook Places issue• Facebook announced location service “Places” August 18, 2010• Immediate criticism of default “opt-in” – No single opt-out setting – No ability to control which people can see check-in – Can “check-in” friends without permission – Available to Facebook partners and phone apps Page 53 ©2011 280 Group LLC. All rights reserved.
  • 54. Corporate Indifference: Uploaded Photos Reveal Subject Location• “Geotags” in uploaded photos identify exact location• Children, friends, houses, expensive cars, etc.• Website APIs make it easy for criminals and stalkers to locate on Google Maps – “Cyber-casing”• Users “compromising their privacy, if not their safety”• Illegal under copyright law to strip out all “metadata”• Smartphones and websites need better user controls Page 54 ©2011 280 Group LLC. All rights reserved.
  • 55. Backlash Over Un-Deletable Cookies“Cookies Cause Bitter Backlash” -- Wall Street Journal, September 19,2010 http://online.wsj.com/article_email/SB10001424052748704416904575502261335698370- lMyQjAxMTAwMDIwMDEyNDAyWj.html• Companies now using “Flash cookies” that can “re- spawn” after being deleted by user• Six lawsuits filed July – September, 2010• "There are some in the industry who do not believe that users should be able to block tracking…," Chris Hoofnagle, director, Berkeley Center for Law & Technologys information-privacy programs• Two bills introduced into Congress Page 55 ©2011 280 Group LLC. All rights reserved.
  • 56. Credit Card Numbers Revealed• Web site Blippy.com revealed credit card numbers Page 56 ©2011 280 Group LLC. All rights reserved.
  • 57. Credit Card Numbers Revealed• Not enough testing – http://techie- buzz.com/tech- news/credit- card-numbers- of-blippy-users- show-up-on- google.html (April 23, 2010) Page 57 ©2011 280 Group LLC. All rights reserved.
  • 58. Not So Private Chats on Facebook• Insufficient testing or poor configuration revealed private chats on Facebook Page 58 ©2011 280 Group LLC. All rights reserved.
  • 59. Poor Operations Practices Reveals iPad phone and email info• AT&T website exposed phone IDs email addresses of 114,000 iPad owners – dozens of CEOs, military officials, and top politicians – FBI investigating – Wall Street Page 59 Journal, June 11, 2010 ©2011 280 Group LLC. All rights reserved.
  • 60. Brand Damage: Poor Customer Sat with Social Media websites – 2010 study• ForeSee Results, Annual E-Business Report for the American Customer Satisfaction Index (ACSI), July 20, 2010 – http://www.foreseeresults.com/research-white- papers/ACSI-e-business-report-2010.shtml• “…interviews with approx. 70,000 customers …to measure satisfaction with more than 200 companies in 44 industries and 10 economic sectors”• Key finding: “Social Media: Customer satisfaction with social media sites is poor (70) … lowest industry aggregate score of any of the e-business or e-retail industries.” – Better than only airlines and subscription TV (66) Page 60 ©2011 280 Group LLC. All rights reserved.