Cloud computing has significant implications for personal privacy and the confidentiality of sensitive business and government data. The dramatic rush to the cloud to take advantage of cost savings in the current economic environment warrants a more careful look at the consequences to privacy and confidentiality.
What do we mean by ‘home’ in the digital age—our public information/reputation footprint—what can people learn about you?—what are the 4th amendment implications of cloud storage vs. what are citizens’ expectations?Access, control, use
For those that don’t know, Intelius is a direct-to-consumer provider of public information about people and businessesLet me be clear, I’m not an attorney although I work with some great ones. I’m an engineer trained in signal processing, cryptography, software, and big data.So, I’m more of a geeky nerd—but relatively high functioning.I started my career designing avionics systems for space vehicles at what’s now Lockheed-Martin.
So my first job out of college was working on the Space Shuttle. On January 27 1986, I show-up for my first day.The next day, the Challenger blows-up.In the ensuing Rogers Commission investigation, Nobel Laureate Richard Feynman famously demonstrated how the o-rings failed in that rare below freezing Cape Canaveral morning (28 F, previously coldest launch 53 F)Feynman resisted participating on the Rogers Commission that investigated, but he relented, after his wife urged him that there’d be 11 people running around in a knot and one lone mosquito finding anything there is to find.Turned out Feynman’s wife was right when Rogers said at one point that “Feynman is becoming a real pain”It turned out that the Morton-Thiokol engineers knew about the risk, but were overruled by corporate brass.The moral is that politics can’t trump physics or economics. And it takes an innovative generalist, like Feynman, to cut through the politics with the truth.The eclectic innovative generalist perspective is key to navigating a complex topic like cloud privacy.
We know all the tech players since the 60s.It started with IBM and grew from there
I like to decompose this timeline into a landscape of closed/open computing versus client/cloud computing. In fact, I’d argue that cloud computing is the “nouveau tech” term for what was server or mainframe or timeshare.When computing was young there was just Big Blue timeshare mainframes.Clients went from thin dumb terminals to fat PCs and workstations (MSFT, Adobe, Apple), and mainframes thinned out to servers (Sun, Oracle).Then came the Internet which allowed fat clients to talk to thickening servers. Jeez, sounds like a recap of a Biggest Loser season.This world was largely closed, but for the slowly growing open-source technologies that have enabled the thick web cloud services talking to thin devices like computer browsers and phones. Many of them use open-source technologies, like FB, LI.What’s interesting is that what’s old is new again. We started with thick timeshare mainframes and now we have thick cloud services. We started with thin, dumb terminals. We now have relativelythin clients.
What’s in the cloud and what’s it used for?
King James Bibles = 167TB (1e6MB /1TB) (1 King James Bible/4.13MB) = 40,435,835 BiblesI find religious metaphors helpful when discussing a subject that engenders such passion like “privacy”
King James Bibles = 91,000TB (1e6MB /1TB) (1 King James Bible/4.13MB) = 22,033,898,305 Bibles (550+ times more)http://en.wikipedia.org/wiki/Deep_Web
20 Exabytes of data were created, transferred, replicated from the dawn of civilization thru 2002. Four times that amount was created, transferred, replicated and transferred in April alone. And April was a short month.http://themetricsystem.rjmetrics.com/eric-schmidts-5-exabytes-quote-is-a-load-of-c
Lots of uses, some regulated, most not.“Needing to find the owner of a dog’s sibling to enable a canine bone marrow transplant”“Finding a son put up for a adoption to speak to his biological mother on her death bed”
So is there any hope? Can the Internet and privacy coexist? Did the Internet kill privacy or are we?I’m a pragmatic optimist, and think there is common ground. There are some amazing innovations around reputation and control that are empowering people in this digital, social age – from the big boys and little startups. A thousand flowers are blooming.
First important to ask what’s public and what’s private?
Let’s get a little historical context
When towns were small, typical of the 19th Century, everyone knew everyone’s business and there was little expectation of privacy. I spent some time in Greensboro AL (50m south of Tuscaloosa, population 2500)If you cut school, the whole town knew by dinnertime.
In the 20th Century, privacy expectations rose with growth of big, dense, anonymous cities.
And now social networks are returning us to the intimacy of the small town with huge growth in data availability.Privacy expectations just haven’t kept pace with the data deluge, giving us privacy vertigo. Other apropos quotes:“If you want to make enemies, try to change something.” – Woodrow Wilson“Every generation needs a new revolution” -- Thomas Jefferson“Most of our assumptions have outlived their uselessness.” – Marshall McLuhan
Andrew Keen says we are “Losing ability to be alone”.JeffJarvis: “We are social animals. There are benefits to publicness.’We need to get more sophisticated, more granular about how we think about publicness and privacy online.Yentas and gossips have been around for millennia as a key glue to the society – matchmakers, news carriers, healers, ritual keepersActually, not much different than how we think about privacy and publicness offline.
Privacy levels power disparities, like between citizens and governments (Bruce Schneier)That’s why there are privacy protections in the US Constitution
But the 4th amendment doesn’t protect citizens from each other. We have statutory protections between citizens.
Clear parallels between offline and online access and use.
So, there are clear parallels between offline data access and use and online data access and use
How can we control – empowerment or regulation?
State breach disclosure laws: http://www.ncsl.org/default.aspx?tabid=13489
When asked what his poems mean, Robert Frost answered (paraphrased: “Half of the meaning is what I write, and half of the meaning is what you read”Reputation is similar: some of your reputation is what you put out there (what you say and do) and the rest is what the world sees.
And it’s the eclectic innovator who, I believe, is the prototype for how the Chief Privacy Officer role is evolving and where I professionally and, quite accidentally, find myself these days.Clearly environmentdrivesevolution and social networking is driving us from an innocent age without privacy officers, to today’s frontier era of regulatory privacy officers, and pushing privacy officers to be 1st class members of product teams – ones who have the privacy sensibilities and technical chops to get a product out the door.A special shout out to Austin Alleman for pulling this cool drawing together. Austin is a student at Santa Clara University, friend of my son Quin. Follow Austin @allemanau. He’s a tireless, talented kid who, literally, works for food.
For example, “breach disclosure” is pretty clear. Don’t spill data.
For example, when are you in public and when are you in private. Twitter and LinkedIn is mostly public. But Facebook can be either.
Ashley Payne: Georgia teacher fired for pictures found on Facebook of her drinking on vacation.She made the claim (on CBS Sunday Morning) that it was like her home was invaded and the pictures were stolen. That’s an incorrect assessment. It was more like she shared her pictures with a gossipy friend.What was wrong was how the school board abused the data, not that they had access to it.
A note of confusion with metaphor taken from machine learning “confusion matrices”Don’t confuse inappropriate access with inappropriate useFCRA, passed in 1970Dialogs like this are necessary, but not sufficient, but we won’t legislate or regulate ourselves out of this confusion. Frankly, “default anti-social” is antithetical to the human “default social” experience.
So, consumers are starting to notice the privacy & reputational issues.They are actually finding their privacy settings, and realizing when privacy policies abruptly change.
But compliance alone won’t cut it.Compliance is too prescriptive, too slow, and too blunt.You know Einstein’s adage: “make things as simple as possible, but not simpler”. Compliance alone is just too simple.
Well, to dabble in the heretical for a moment, how about ditching compliance for innovation?To borrow from Hilary Mason, the Chief Scientist at Bit.ly, Math+Code = Awesome But as some of you are, no doubt, thinking there’s a bit of a problem with this.
Sometimes “awesome” means awesomely destructive – like when the Wall Street “quants” nearly destroyed the world’s economy by concocting derivatives – “financial weapons of mass destruction” as Warren Buffet called them.So maybe we need a corollary to Mason’s Maxim that scales technology with values.
Negative values, super bad. Positive values, like fine-grained privacy controls, super awesome.
You get to the right solutions with a discussion around the tough, sometimes seemingly religious, issues.
An example, when I first joined Intelius nearly 3 years ago, I went on a listening tour of the company’s toughest critics (some in this room).Top of the list was Cindy Southworth, an exec at the National Network to End Domestic Violence.I asked her what Intelius could do better.She said bluntly (not uncharacteristic for those of you that know Cindy): “get my women out of your data”.I said absolutely, but as we began to work through the details, she suggested that it would be better to simply remove the latest contact information so the trail would run cold, frustrating any offender or stalker.I loved the suggestion and worked to get it on the product roadmap. This feature is now offered to all customers of our TrueRep product.
Another example is our opt-outOur opt-out is free, doesn’t require a reason, but we do require proof-of-identity so we opt-out the right record.And folks have asked us to make our opt-out easier. So, now (announced at pii2011) we allow secure upload of ID in addition to fax and mail.And something we added that wasn’t ask for. We’ve integrated our opt-out into our online ads, so self-searchers on Google can easily get to the new opt-out.
Innovators like Feynman shape technology and how we think about it.We know these others. But I wanted to highlight Norio Ohga – the President of Sony during the invention of the compact audio disk in the late 1970’s.Being an opera student, he mandated that the CD hold 74 minutes of music so that he could listen to Beethoven’s 9th uninterrupted. Mr. Ohga died last month. I think he’s a great example of the class, taste, and technical know-how that goes into eclectic innovation.
And that place to stand is often with the product teams, your toughest critics, and your customers.Innovation is a team sport, risky, but that’s where the rewards are. The key is to balance that risk with knowledge—often from others because you can’t know everything. Customers tell whether it's valuableCritics tell you whether is viableRegulators tell you if it's legal (politicians tell you if it will be)Competitors whether it's scalableThe worst thing is a tone deaf innovator.
Reports of privacy’s death have been greatly exaggerated …Dialogues like this are key to unraveling the “ball of confusion”. Innovation is a team sport: CDT, NNEDV, IAPP, Truste, Consumer Action, FPF
Humans have been grappling with the freedom, power, and responsibilities of new media since the first cave dweller scrawled on a wall. And from there came stone tablets, and parchment, and the printing press, and the telephone, and the television, and the internet. The media change. The social rituals and traditions do not.I’ve heard that we’re undergoing a social revolution in online media. I would say that we’re undergoing a media revolution that’s catching up to our social traditions.Thanks!
Business & Privacy in the CloudInnovating from Good to Best Practices<br />Jim AdlerChief Privacy Officer & General Manager, Data Systems<br />twitter: @jim_adlerhttp://jimadler.me<br />Drexel UniversityJune 2011<br />
What’s a Cloud?<br />Data Use<br />Data Access<br />Data Control<br />Privacy Evolution<br />Questions<br />What to talk about?<br />
Intelligence<br />I am not an<br />Attorney<br />Geek<br />Dweeb<br />Nerd<br />SocialIneptitude<br />Obsession<br />Dork<br />
The Players<br />
The Playground<br />Cloud<br />(PKA server & mainframe & timeshare)<br />Closed<br />Open<br />Client<br />(PKA PC & workstation)<br />
Data usein the cloud<br />
The surface web is small…<br />167 Terabytes<br />
Compared to the deep web…<br />91,000 Terabytes<br />
Much of it uploaded by us…<br />Facebook Pictures: 80M/day uploaded<br />Tweets: 65M/day<br />YouTube Videos: 19,000 hours/day<br />
~20Exabytes<br />(20B GB)<br />Data from <br />dawn of civilization<br />through 2002<br />Data from <br />April 2011<br />
Reconnecting out-of-touch family members<br />Online shoppers verifying online sellers<br />Caller ID of harassing phone calls<br />Law enforcement<br />Banking Services<br />Adopted kids seeking their biological parents<br />Learning about a business<br />Airlines trying to return lost luggage<br />Networkers seeking business opportunities<br />Social networkers looking to expand their friends list<br />Professionals learning about colleagues at conferences<br />Social workers who need to know more about their clients<br />Singles curious about the people they meet<br />Lawyers needing quick access to court records<br />Find owner of dog’s relative for transplant<br />Genealogists cultivating their family tree<br />Investigative journalists running down leads<br />Checking out a prospective tenant<br />Research<br />Sales professionals looking for new prospects<br />Non-profit organizations looking for supporters<br />Alumni groups arranging reunions<br />Parents ensuring who their kids safety<br />Anyone retrieving court records<br />Businesses that need to update contact information on customers<br />Checking out a prospective date<br />Finding people that have the same illness as you<br />Sharing<br />Those in legally entangled looking for court records<br />Anyone who need address histories for passports<br />Fiancés and their curious family members<br />Anyone curious about who's emailing or calling them<br />Checking out a prospective social network connection<br />Finding long-lost friends, military buddies, roommates, or classmates<br />Researching a prospective employee<br />Regulated<br />For lots of reasons… (some regulated)<br />
Providing major benefits…<br />51% “major benefit” is ease and convenience<br />41% “major benefit” is portability<br />39% “major benefit is sharing<br />Use of Cloud Computing Applications and Services, Pew 2008<br />
But real concerns…<br />90% “very concerned” if data sold<br />80% “very concerned” if photos used for marketing<br />68% “very concerned” if data used to serve them ads<br />Use of Cloud Computing Applications and Services, Pew 2008<br />
A Prescient Venn Diagram?<br />
Data accessin the cloud<br />
When towns were small …<br />
“The only thing worse than being talked about, is not being talked about.”− Oscar Wilde<br />Density↓ -> Anonymity↓ -> Privacy Expectation↓<br />
“Good Fences Make Good Neighbors”− Mending Wall, Robert Frost<br />Density↑ -> Anonymity↑ -> Privacy Expectation↑<br />
“In times of rapid change, experience could be your worst enemy.” − J. Paul Getty<br />#@?$!!<br />Density↓ -> Anonymity↓ -> Privacy Expectation↓<br />
So, how do we think about publicnessand privacy now?<br />
Public speaking is publicly public<br />
Voting is a privately public<br />
And some things are publicly private<br />
Your home is clearly private<br />
And the 4th Amendment protects your privacy from government …<br />
But no 4th Amendment protections between citizens<br />
It would be nice …to use familiar framework for cloud<br />
Cloud banking clearly private<br />
Tweeting is (mostly) public<br />
Cloud dating is public confidential<br />
Data control In the cloud<br />
Private data must be protected<br /><ul><li>Clear and stable privacy policies
Enforce terms of service
GLBA, COPPA, DPPA, HIPAA, ECPA
Breach disclosure laws in 46 states</li></li></ul><li>But the bell on public data can’t be unrung<br />
Though this reputational data can be tuned …<br />
Reputation is a two-way street<br />Awareness of data that’s out there<br />Control to comment & correct<br />The rest is in the hands of the world<br />
And people want control of that reputation<br />57% of adult users use search engines to self-search.<br />47% of young users have deleted comments that others have written.<br />41% of young users have removed their name from tagged photos.<br />Reputation Management and Social Media, Pew 2010<br />
Nor are the costs<br />The present cost of a rare, future disaster is zero<br />
Ball of Confusion (Matrix)<br />Regulations<br />Violations<br />
2/3 of social network users have made adjustments to privacy settings <br />80% “very concerned” about photos<br />68% “very concerned” if data used for ads<br />Pew Internet and American Life Project<br />Frontier<br />
Compliance is a necessary, but not sufficient, condition for innovation. <br />Regulation<br />