Follow Us

Subscribe to the InkHouse Newsletter

Sign Up!

Category Archives: Privacy

Tag Archives: Privacy

Innovation 2012 – An unConference Powered by MassTLC

I had the good fortune to attend unConference 2012 today. It was good fun. I ran into a lot of people I know from the Boston tech community. Many that I hadn’t seen in a while. I was able able to sit in on three sessions during the course of the day. Here are thoughts and notes from two of them.


Bring Your Own Mobile Device

This was a small and intimate gathering with a lot of give-and-take. At the outset, everyone agreed that the devices to be discussed would be limited to smartphones and tablets rather than desktops or laptops. Personally, as someone who brings a laptop into the office every day, I think they should have been included . . . but that’s just me.

Daniel Gerow – who does corporate IT at Wayfair, a home goods e-tailer – was the host of our little band.

At the outset, he asked everyone to share topics of interest.

Security came up a lot, in terms of protecting the data on a device and providing devices with secure access to the enterprise. Policies were one approach, but everyone agreed they are not especially strong, difficult to enforce and better in theory than in practice.

In my opinion, one of the most interesting discussions (as far as I was concerned) was around technologies that created secure devices on an existing device – not exactly virtual, but separated and running in parallel. Two companies were mentioned. The first was Enterproid, whose product, Divide, allows an enterprise to create a secure phone on a personal one. By tapping the home button twice, the secure device is started. It can then access enterprise resources and corporate IT has centralized management capabilities. Double tap again and the phone is your personal one once again.

The second company was MobileSpace. This takes a different approach. It “wraps” applications (no one was quite able to say how exactly “wrapping” worked) and only those apps were able to access the enterprise.

The centralized management offered by both was a big deal.

This is easy to understand when you consider the second issue that came up: fragmentation.

Gerow explained that for him, everything was about standardization. He doesn’t want to have to think about or manage all of these different devices, operating systems and OS variants. Wayfair is a Microsoft shop and so he is able to use ActiveSync to manage all the devices that come through the door (assuming they all support ActiveSync of course). He asks employees wanting to use their own devices what they plan to use them for and is then able to configure policies and permissions based on their specific use case.

The next topic focused on people’s assumptions about the mobile experience. This became a pretty freewheeling topic and covered a lot of ground. One of the elements of the discussion was storage and how frequently people are using services such as DropBox to move files from work to home and back again – whether on a mobile device or otherwise. Everyone agreed that access to corporate data without corporate control was a big issue. The challenge is that dealing with VPNs – especially on mobile devices – is not a great experience. It’s just so much easier to set up a DropBox.

Although no one was able to name a specific product, several people said there are enterprise solutions with DropBox-like capabilities, but without the public cloud storage.

The other user experience issue had to do with live data. One participant discussed healthcare apps that allow caregivers to access and update records from their mobile devices or a PC. Because these are busy people, most tend to want to use their device. This creates a new set of challenges – encryption, performance and maintaining data state if a mobile device loses its connection to the network.

The bottom line is that the technology is in place and people are using it in the workplace. Yes, it raises issues and concerns but the genie isn’t going back in the bottle. Of course, many enterprises hold a digital trump card:

If a device is ever lost or compromised, it can be wiped – killing all the data, personal and enterprise.


Big Data and Privacy

This is an issue that’s near and dear to my heart. Over the past several years I’ve worked with a number of digital advertising and marketing companies so big data and privacy are constant topics.

The big theme here was concern. People agreed there’s going to be more and more data, coming from more and more sources and analyzed and used in ways we haven’t even imagined. As the volume and use of data accelerates privacy concerns will only grow. This presents a huge opportunity for entrepreneurs and technologists.

Participants were asked what they thought was behind what was described as an “immunity” to privacy concerns. The answer from most was that it’s a generational thing. People for whom the Internet has been present for their whole lives seem less concerned that older people.

An interesting variation on this theme was that it also depended on where people were from. One person asked, “What’s the cost of failure? If my credit card is compromised it’s fast and easy to shut it down.” Several disagreed with this attitude, suggesting that Europeans who had lived or known people who had lived in surveillance states were more likely to be careful than Americans. Others pointed out that in despotic countries privacy can be an issue of life of death.

It was suggested that at some point there may be a catastrophic event that forces everyone to rethink their attitude toward privacy, but for now there’s no impetus to change. In fact, we’re being trained and encouraged to share more and more. One participant made the point that Facebook has made everyone more comfortable with sharing information about themselves. The fact that there’s only a “Like” button reinforces people’s willingness to share more information about themselves.

And all that data is being put to work by marketers. Retargeting was mentioned as one use and another participant observed that more data equals better conversion. But this, people thought, was just the low-hanging fruit. There’s movement in the market – around algorithms and analytics – that will allow data to be used more easily.

The important issue around data ownership came up. Who owns the data about us we’ve put out in public channels? Who can extract value from our personal data? Who owns the analysis of the data, or the connections and inferences that can be drawn from it? These are big questions that haven’t been answered. Someone suggested we may see new laws and regulations – which is probably true – but the details are still unknown.

As regulations were discussed, a participant mentioned that attempts to protect privacy could be a threat to innovation. This sparked a discussion that led to questions around the difference between privacy and identity. A woman from the Internet Society said that internally they refer to big data as identifying data – and that there’s no real way for data to remain private. There’s just too much out there that can be connected in too many ways.

The idea that there’s a value exchange – access for information – was also discussed. The problem is that this exchange is not explicit. Consumers may be getting things they want and value – or ads and offers that are relevant to them – but there’s not direct or clear connection to their personal information. There’s an opportunity to change that in ways that could empower consumers by giving them a chance to offer their data to marketers – at a cost – when they’re looking for specific products or services.

This led to a discussion about user-centric identity management. An interesting idea but many wondered if this is something the average citizen should have to worry about. Several people suggested there needed to be some places – and some types of data – that are private. Medical information, for example.

As part of this discussion, a participant mentioned that there are already ways to function anonymously online, even ways to shop without giving out too much information. The Electronic Frontier Foundation was suggested as an important privacy resource. It’s good to know there are resources out there since the conversation ended with some extra-creepy examples from participants of ways data is being collected and used:


  • At Fenway, a fan that made his way from the luxury boxes to the Monster Seats to the grandstands and back to the luxury boxes was approached by security because facial recognition software had identified him in multiple places.
  • At Zuccotti Park, facial recognition was used to identify apparent Occupy leaders for “tactical extraction”
  • As Brazil prepares for the World Cup and Olympics, police officers are being equipped with helmet-mounted cameras, heads-up displays in their face shields and augmented reality capabilities to identify with icons people that may be problematic.

The panel ended on these dystopian notes – but also with the hope that people can exercise some control over their data and privacy. As long as it isn’t already too late.

Read more from Greg Peverill-Conti

FTC Commissioner Julie Brill on Online Privacy and Data Security

Face - FTC Commissioner Julie Brill

Over the past few years many of my clients have been involved in the digital advertising industry. When I learned that FTC Commissioner Julie Brill would be speaking at Harvard’s Berkman Center for Internet & Society I was curious to hear her thoughts on consumer protection, privacy policies and the idea of consent and the rules vs. standards approach to protecting online privacy.

She offered two recent examples of the agency’s work in protecting privacy. One involved Facebook and concerns around unannounced changes to its privacy policy that resulted the company’s failure to keep its privacy promises. Another related to deceptive practices on the part of Google around Google Buzz, and its automatically enrolling people and then exposing their most frequent email correspondents.

In both cases, the FTC borrowed concepts from the remedies it had developed and imposed around data security in the past. Both Facebook and Google were required to implement full-blown privacy programs that will be audited for 20 years by an independent third-party.

Back in the 2000s, much of the focus on privacy was related to data security and data breaches. Today the emphasis has shifted to the inappropriate use of consumer information. In this context, Brill was asked about consumers’ apparent resignation to compromised privacy.

She believes – as illustrated by the hue and cry around the recent changes Google’s privacy policy – that as consumers get more information they will become more concerned and demand action. This was the case when data breaches became an issue in the past. As that problem developed and remedies were sought, the industry balked at consumer notification. Eventually they were persuaded to accept them and everyone has been better served as a result. She sees this as a model for likely progression in today’s data privacy environment.

On the topic of consent, Brill said companies posted their privacy policies with the assumption that by clicking OK or ticking the box the user had agreed. Companies have left this issue to their legal departments and have asked them to come up with policies that will keep them out of trouble.

She believes we need a new concept of consent, one that is accessible, quick and understandable. There will always be a place for full-blown privacy policies but consumers need much simpler “just-in-time” information that is relevant to what they are doing. Do Not Track (DNT) is an example of the type of tools consumers need – and that the industry is starting to provide; but there is room for improvement.

Brill says that consent needs to be about more than giving notice and choice. Companies need to start building privacy into their products. The industry needs privacy by design. This means not making things so hard for consumers. It can’t just be for show though; the tools for understanding need to be accessible but real privacy still needs to be in place and available even if under the hood.

The always-engaging Jonathan Zittrain had an interesting question for Brill. He was curious about rules vs. standards; and how well she thought the agency reflected the vision of Brandeis as politically independent but flexible and responsive to a complex and changing world.

Brill believes the standard approach is a wonderful and flexible tool. The differences between rules and standards become really visible when looking at the EU and US privacy regimes. The EU is far more rules focused and as a result of the differences between the two approaches (and the fact that they do not view of standards approach as adequate) the flow of data isn’t free and relies on a safe harbor model to function.

The FTC takes the view that the agency does a good job of protecting privacy based on its application of standards that have grown up around a common law understanding of privacy. As a result, the FTC is very careful in its case selection. Cases are chosen that will communicate important information and lessons to industry. Each of these cases sends an important message to the industry as a whole and corporate privacy people and groups pay close attention.

To further help the industry understand the current environment, the FTC has just issued its report: Protecting Consumer Privacy in an Era of Rapid Change.

Read more from Greg Peverill-Conti