What every product manager needs to know about security


Published on

"What every product manager needs to know about security" by Phil Burton of 280group at Silicon Valley Product Camp 2011

Published in: Business
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

What every product manager needs to know about security

  1. 1. What Every Product Manager Needs to Know About Online Privacy and Security Protecting Your Brand, Revenue, and Business Model Phil Burton, Principal Consultant and Trainer 280 Group LLC © 2010-2011 280 Group LLCPage 1 ©2010-2011 280 Group LLC
  2. 2. Why is Online Privacy Important? • Lack of effective privacy can affect revenues and damage your business model loss of trust and reputation brand damage Decreases in site visitors lower revenue • Real and growing risk of government regulation in US, EU Potentially limit revenue opportunities Potentially impact the business model • Effective privacy requires excellent securityPage 2 ©2010-2011 280 Group LLC
  3. 3. Agenda • Threats to Online User Privacy – Corporate Policy – Poor Operations and Programing Practices – Lack of User Education • Issues and Consequences • Increased Government Regulation? • Strategic Issues and Market Requirements • Takeaway IdeasPage 3 ©2010-2011 280 Group LLC
  4. 4. Threats to Online User Privacy Corporate PolicyPage 4 ©2010-2011 280 Group LLC
  5. 5. Causes of Privacy Threats • Corporate policy – Business model monetizes private data – Complete indifference to privacy issues • Poor operations and programming practices – Badly designed, buggy software and configurations – Poorly secured websites allow professional criminals to steal user private data • “contribute” content with “malware” • forcefully plant malware • Lack of user education – Users don’t know how or why to protect private data – “Social Engineering” tricks usersPage 5 ©2010-2011 280 Group LLC
  6. 6. Facebook Places issue • Facebook announced location service “Places” August 18, 2010 • Immediate criticism of default “opt-in” – No single opt-out setting – No ability to control which people can see check-in – Can “check-in” friends without permission – Available to Facebook partners and phone appsPage 6 ©2010-2011 280 Group LLC
  7. 7. Facebook Policy Causes Privacy Threats • “Your Privacy Isn’t So Private” – San Jose Mercury-News, Tech Files column, May 3, 2010 – Facebook is “cavalier” with privacy of its users – “Alarm bells went off in my head over the privacy issues” – “Astonishing how much information Facebook now considers ‘public’ and is sharing with its marketing partners”Page 7 ©2010-2011 280 Group LLC
  8. 8. Google and Facebook “Blurring the Line” • “A Blurring Line: Private and Public” – NY Times, Bits column, March 15, 2010 – Google Buzz service “complete disaster” by linking email accounts to status updates on social networks – Facebook makes members information public by default – Issue is “broader muddying of the line between what is private and what is public online.”Page 8 ©2010-2011 280 Group LLC
  9. 9. Corporate Indifference: Uploaded Photos Reveal Subject Location• “Geotags” in uploaded photos identify exact location• Children, friends, houses, expensive cars, etc.• Website APIs make it easy for criminals and stalkers to locate on Google Maps – “Cyber-casing”• Users “compromising their privacy, if not their safety”• Illegal under copyright law to strip out all “metadata”• Smartphones and websites need better user controls Page 9 ©2010-2011 280 Group LLC
  10. 10. Tone Deaf: Eric Schmidt calls for Young Adult “Witness Protection Program” • “[Schmidt ]predicts, apparently seriously, that every young person one day will be entitled automatically to change his or her name on reaching adulthood in order to disown youthful hijinks stored on their friends social media sites.” • Technical solution to important policy issue? • Doesn’t Google have any responsibility here?Page 10 ©2010-2011 280 Group LLC
  11. 11. Apple’s Very Different User Privacy Policy • Steve Jobs on user privacy: – “ … different view … than some of our colleagues in the Valley. We take privacy very seriously.” – “Privacy means people know what they’re signing up for. In plain English. … repeatedly” – “Let them know precisely what you’re going to do with their data.” – Wall Street Journal, Technology, Kara Swisher and Walt Mossberg, June 7, 2010, p. R3.Page 11 ©2010-2011 280 Group LLC
  12. 12. Threats to Online User Privacy Poor Operations and Programming PracticesPage 12 ©2010-2011 280 Group LLC
  13. 13. The Not-Private Blog • The “niece’s blog” – The aunt periodically did Google search on nieces and nephews to keep up with their activities – College freshman niece wrote one blog for parents and relatives – Wrote second blog for just for friends • Password protected • Drugs, sex, wild parties, disparaging comments on family • Google found it with normal “spidering”Page 13 ©2010-2011 280 Group LLC
  14. 14. Credit Card Numbers Revealed• Web site Blippy.com revealed credit card numbers Page 14 ©2010-2011 280 Group LLC
  15. 15. Credit Card Numbers Revealed• Not enough testing – http://techie- buzz.com/tech- news/credit- card-numbers- of-blippy-users- show-up-on- google.html (April 23, 2010) Page 15 ©2010-2011 280 Group LLC
  16. 16. Not So Private Chats on Facebook• Insufficient testing or poor configuration revealed private chats on FacebookPage 16 ©2010-2011 280 Group LLC
  17. 17. Poor Operations Practices Reveals iPad phone and email info • AT&T website exposed phone IDs email addresses of 114,000 iPad owners – dozens of CEOs, military officials, and top politicians – FBI investigating – Wall Street Journal, June 11, 2010Page 17 ©2010-2011 280 Group LLC
  18. 18. Poorly Protected Website Infected with “Drive-By” Malware• Hackers successfully penetrate well- known site – Plant “Drive-by downloads” on poorly protected sites• safeweb.norton. com/buzz Page 18 ©2010-2011 280 Group LLC
  19. 19. Threats to Online User Privacy User EducationPage 19 ©2010-2011 280 Group LLC
  20. 20. “Forget Email... Socials the New Spam Vector”• “… this shift in spammer strategy from email to social networking sites tracks perfectly with users online behavior”• “spammers are counting on … our collective naïveté.” Page 20 ©2010-2011 280 Group LLC
  21. 21. Issues and ConsequencesPage 21 ©2010-2011 280 Group LLC
  22. 22. Mark Zuckerberg Doesn’t Value Privacy • January 9, 2010 • April 23, 2010Page 22 ©2010-2011 280 Group LLC
  23. 23. Zuckerberg Admits Mistakes About Privacy • May 24, 2010Page 23 ©2010-2011 280 Group LLC
  24. 24. Zuckerberg Public Letter Really Targets Federal Government • Zuckerberg letter to blogger and Op-Ed piece in Wash. Post, May 24, 2010 -- http://www.washingtonpost.com/wp- dyn/content/article/2010/05/23/AR2010052303828.html – “There needs to be a simpler way to control your information," he wrote. "In the coming weeks, we will add privacy controls that are much simpler to use. We will also give you an easy way to turn off all third-party services.” – First response to “furor over Facebooks user privacy moves that left the site with a public relations problem and fighting to defend its reputation.”Page 24 ©2010-2011 280 Group LLC
  25. 25. Analysts Say Facebook May Need User Approvals • “Facebook Seeps Onto Other Web Sites,” - NY Times, April 19, 2010 – Analysts say Facebook’s desire to spread its tentacles across the Web could run into privacy hurdles, as it will require the company to share increasing amounts of personal information about its users with other sites. – “They are going to have to secure more consumers’ approval for data-sharing,” said Augie Ray, analyst at Forrester Research.Page 25 ©2010-2011 280 Group LLC
  26. 26. Damage to Facebook Brand • Why Facebook’s “private” messages are a joke, Jesse Stanchak on May 6, 2010, http://smartblogs.com/socialmedia/2010/05/06/why-facebooks- private-messages-are-a-joke/ • ACLU Weighs in on Facebook’s Privacy Issues, Rex Gradeless, May 13, 2010, http://socialmedialawstudent.com/featured/aclu-weighs-in-on- facebooks-privacy-issues/ • 6 Alternatives to Facebook, Itamar Kestenbaum, May 20, 2010, http://www.socialmediatoday.com/SMC/199443 … and many, many more …Page 26 ©2010-2011 280 Group LLC
  27. 27. Pervasive Mistrust of Website Intentions • Increased Privacy Concerns – “Tell-All Generation Keeps Some Things Offline,” – NY Times, May 9, 2010 – “Mistrust of the intentions of social sites appears to be pervasive … telephone survey found 88 percent of 18- to 24-year olds said there should be a law … to delete stored information [on social media websites.] – “Two weeks ago, Senator Charles Schumer … petitioned the Federal Trade Commission to review privacy policies of social networks.”Page 27 ©2010-2011 280 Group LLC
  28. 28. Brand Damage: Poor Customer Sat with Social Media websites • ForeSee Results, Annual E-Business Report for the American Customer Satisfaction Index (ACSI), July 20, 2010 – http://www.foreseeresults.com/research-white- papers/ACSI-e-business-report-2010.shtml • “…interviews with approx. 70,000 customers …to measure satisfaction with more than 200 companies in 44 industries and 10 economic sectors” • Key finding: “Social Media: Customer satisfaction with social media sites is poor (70) … lowest industry aggregate score of any of the e-business or e-retail industries.” – Better than only airlines and subscription TV (66)Page 28 ©2010-2011 280 Group LLC
  29. 29. Backlash Over Un-Deletable Cookies “Cookies Cause Bitter Backlash” -- Wall Street Journal, September 19,2010, http://online.wsj.com/article_email/SB10001424052748704416904575502261335698370- lMyQjAxMTAwMDIwMDEyNDAyWj.html • Companies now using “Flash cookies” that can “re- spawn” after being deleted by user • Six lawsuits filed since July • "There are some in the industry who do not believe that users should be able to block tracking…," Chris Hoofnagle, director, Berkeley Center for Law & Technologys information-privacy programs • Two bills introduced into Congress • Federal Trade Commission expected to issue new guidelines by December.Page 29 ©2010-2011 280 Group LLC
  30. 30. Consumers Reports Takes Notice • June, 2010 Magazine – Two out of three online U.S. households use social networks such as Facebook and MySpace, nearly twice as many as a year ago. – But “millions … put themselves and their families at risk by exposing very sensitive personal information,” … national survey of 2,000 online households conducted in January. • March 23, 2011 email on “Zombie cookies” – Describes privacy threat from cookies “are bits of code placed on your computer by companies that track you while youre on the Internet — they come back even after you have carefully deleted them. And thats not illegal.” – Invites reader to sign online petitionPage 30 ©2010-2011 280 Group LLC
  31. 31. ACLU Cites “Social Insecurity”"Were just at the beginning (italics added foremphasis) of seeing what the implications are for somuch information being posted on social networks,"Nicole Ozer, the technology and civil liberties policydirector .. ACLU, N Cal.Page 31 ©2010-2011 280 Group LLC
  32. 32. “Do Not Track” Option in FireFox 4 Browser • Released March 23 • Builds on “Privacy Mode” in FireFox, Internet Explorer • Depends on website voluntary compliancePage 32 ©2010-2011 280 Group LLC
  33. 33. Increased Government Regulation?Page 33 ©2010-2011 280 Group LLC
  34. 34. Twitter Settles Federal Trade Commission Charges (June, 2010)• FTC charged Twitter deceived consumers and put privacy at risk• First case by FTC against social media site• Complaint charged poor security allowed hackers to gain admin control, send phony tweets• Twitter barred for 20 years from misleading consumers about security, privacy, confidentiality, also must create comprehensive security program, with outside auditingPage 34 ©2010-2011 280 Group LLC
  35. 35. Google Settles with FTC Over Buzz (March, 2011)• US Federal Trade Commission charged Google with violations of • Late breaking news! own privacy policy, with Buzz social social network service – Gmail account info used without user OK• FTC requires Google to get user OK before sharing info• 20 years of audits, fines• “… legal order … further than voluntary commitment,” – deputy dir, FTC Bureau of Consumer Protection – First such action – “broad consequences” expectedPage 35 ©2010-2011 280 Group LLC
  36. 36. Online Privacy Becoming Financial Services Industry Issue • “View from Inside the Beltway” – The WSJ runs a series of exposés on Internet tracking and consumer profiling to enhance ad placement (July 2010) – The Department of Commerce Internet Policy Task Force issues an 80- page “policy framework” (December 2010) – A McKinsey study shows that consumers reap a net annual benefit of $130 billion from free web-based services (paid for by advertising) (January 2011) – Congressman Jackie Speier introduces “do-not-track” legislation (February 2011) – McCain, Kerry circulate “online privacy bill of rights” (March 2011) – SVB Online Seminar, Are You Tracking This? The Feds are Moving on Internet Privacy, March 17th, 2011Page 36 ©2010-2011 280 Group LLC
  37. 37. Is This the Future?Page 37 ©2010-2011 280 Group LLC
  38. 38. A Legal Precedent for User Privacy Legislation • State privacy laws - California SB 1386 – Effective July 1, 2003 – Requires an agency, person or business that conducts business in California …to disclose any breach of security (to any resident). – Similar laws now in force in 46 states in US • What would be the impact if these laws were extended to general privacy issues?Page 38 ©2010-2011 280 Group LLC
  39. 39. Strategic Issues and Market RequirementsPage 39 ©2010-2011 280 Group LLC
  40. 40. Strategic Issues for PMs • Is your company’s business model at risk from increased government regulation? – … in the US? – … in privacy-focused European Union countries? • How would government-mandated user privacy protections affect your competitive position? – Who benefits? Who loses? Your company? The competition? • Major user privacy incident? • How do you exercise leadership in your company?Page 40 ©2010-2011 280 Group LLC
  41. 41. Define Market Requirements • Well-researched Market Requirements should cover both stated and unstated (latent) needs – Protect your company’s brand and revenue – Perhaps protect your career • Privacy/Security requirements not called out because they are “universally understood” or perhaps not understoodPage 41 ©2010-2011 280 Group LLC
  42. 42. Who Understands Privacy (Security) Issues? • Almost all end users (business, consumer) do not begin to understand privacy issues • Most Line of Business owners prioritize time- to-market, or won’t invest in effective security • Many software developers do not know how to write secure code • IT often deploys insecure websites and networks • Most product managers don’t know securityPage 42 ©2010-2011 280 Group LLC
  43. 43. Define Market Requirements • Privacy Policy – User privacy respected by web site owner company and third parties, including advertisers – User data protected from unauthorized access by individuals and companies – Simplify data sharing options and default to NONE • User Education – Educate about managing their data – Educate about privacy implications of sharing data – Provide effective and timely advice and warnings about social engineering attacks – Get effective help if they suspect security issuePage 43 ©2010-2011 280 Group LLC
  44. 44. Influence Company Policies • Programing, Administration and Operations – Test all changes to prevent exposure of user data – Ensure that user posted content is safe – Detect and remove malware planted by hackers – Work with security vendors on emerging threats – Notify users proactively of security breaches, even if not required by law – Include partners in security programs – Maintain ongoing programs and provide sufficient resources, including outside helpPage 44 ©2010-2011 280 Group LLC
  45. 45. Takeaway IdeasPage 45 ©2010-2011 280 Group LLC
  46. 46. Takeaway Ideas • You must understand the business consequences of poor user privacy – It’s only your company’s business model and maybe your career • As the product champion, you must articulate the issues, document the requirements, and influence overall policies in your company • You do not have to be security expertPage 46 ©2010-2011 280 Group LLC
  47. 47. Closure • Questions? • Contact me later – phil@280group.com – (650) 766 9970 – http://tungle.me/philburton to set up an appointmentPage 47 ©2010-2011 280 Group LLC