More Content - Including Podcasts

Thursday, June 14, 2012

Navigating Internet Privacy

Shifts in the modern Internet landscape are creating new challenges and business imperatives for security, IT and legal professionals. Join our panel of experts as they examine the legal, regulatory and public policy initiatives that are impacting online businesses, Internet usage and Internet security today, and tackle the most pressing questions in today's marketplace, including: prospects for new privacy legislation; the potential impact on how companies operate and design products; conflicts that may arise with the development of cloud computing; legal jurisdiction over international data flows in "the cloud?"; the progress of online tracking and advertising; the impact of increasing calls for Privacy by Design from policymakers and organizations; and the rise of rise of class action lawsuits in the privacy sphere.
Justin Weiss, Senior Director, International Privacy and Policy, Yahoo and
Trevor Hughes, President and CEO, IAPP

We started with the topic of kids. The COPA is currently under review, including verifiable parental consent issues. The business consent mechanism for that consent is payment card requirements.

I asked about teen use of social media, and the right to be forgotten. Particularly when teens post things online that they might regret later. The answer from Trevor was started with the fact that Social media adoption by youth was higher than any any other age group last year, for under thirteen, the parents are complicit in kids getting onto facebook. As a society we are evolving in how we think about our personal histories. We cant teach our kids how to use social media, they will teach us. The answer is that our perception of personal pasts is shifting with this young generation in North America, and it doesn't mean the same thing to us as adults that it will to the next group of adults. So we told that teens wont regret later what they post today. I don't really agree with this moral philosophy standpoint, but it is interesting that privacy experts are using this as an argument.

Next we discussed the right to be forgotten specifically in the EU. This includes the portability of your data, and that implies that social network providers would allow you to vote with your data. The expectation currently does not exist that you can control information about you on the Internet; but how much of this was uploaded by you? How much information about you is uploaded by someone else? Who owns this, and who has the right to remove it? The contra to this is that just because it is difficult to do doesn't mean that it shouldn't be done. The thought came up that more practical than the right to be forgotten is the right to know what is online about yourself. Trevor & Justin indicated that there are already business coming online to purge and/or correlate aggregated public information about you. Last question on this topic was what happens when you die? When you die, your data and how your data is handled should be the responsibility of your estate, but compliance regulation is not enforcing this - yet.

We move to the discussion about the e-privacy directive and cookies, and tracking. This concept originally came about because of the stateful nature of the web. Cookies have become much more sophisticated and dangerous, and easily abused. Any modern website can contain 16-20 cookies on their front page. This number is more than likely on the very small side of the average. The EU is proposing informed consent for each cookie. Alternative state management and information grooming tools are being developed to proactively circumvent any legislation.
So we need to clarify that there is a difference between tracking technologies and cookies. By focussing the issue on cookies we are looking at the more transparent technology, but others that are far less transparent do not use cookies to track you. So the legislators and the public need to be aware of this difference. The caveat considered is "unless the tracking is expressly requested by the consumer of the online service." Advertisers and third party data collectors should and are be the ones who are targeted by this legislation.
Browsers are the interface here, and we have four or five real vendors of note here, and it may well be that browser settings will be the key to finding a solution here. In the end we come back to the risk of technology specific legislation, versus focusing on principles of privacy. The case of browsers including "private browsing" options is shown as a case in point of how the market can respond to demand by simplifying the interface to give us what we actually want.

Trevor explains that OBA (online behavioural advertising) is intended to be targeted to ensure that it is beneficial to you, but often comes across as invasive and creepy. Other privacy issues are starting to over take this one, as industry slowly starts to self-regulate. Its not by any means a perfect state, but it is progress. Yahoo provides icon solutions to let users know which ads are targeted and which are not.
There is a scope creep issue here, because cookies are often involved in gathering the data for OBA, so law makers need to approach this topic, once again, very carefully to not paint any forthcoming legislation into a toothless corner.
I asked about the scenario where facebook provides hook-up and dating site advertisements to 14 year old boys, and this became an interesting conversation around whether the advertisers or the host holds responsibility for the advertisements, and if they are allowed to have enough information to know your age. My opinion is that since facebook has this info about us already,

Justin's prediction on the headline for online privacy for this year will be "a google technology team bypassed default preference settings in Safari browser" which was todays headline. This will continue to fire the flame on regulation because it is apparent that self regulation isn't working.

trevor expects a $20M settlement over a privacy issue n the US that will drive more compliance.

- Posted using BlogPress from my iPad

Location:13th Security & Privacy Conference

No comments: