BELLEVUE, Wash.—What do global spymasters have in common with Internet shoe merchants? Today, both must worry about the privacy considerations of the reams of electronic data they collect and manage—and it’s an increasingly difficult task.
Speaking to 900 attendees from across the U.S. and Europe at the International Association of Privacy Professionals (IAPP) conference here, Howard Schmidt, an information security executive with experience in the White House and corporate boardrooms, said that the profession’s challenges stem from the core link between privacy and security—and a lack of data to define conditions.
“Privacy and security are two sides of the same coin. Without security, you have no privacy. Privacy is the goal, security is the means,” Schmidt said. “This is not an IT issue. It’s a business issue that needs to reside at the governance level in corporations around the world.”
Now a consultant, Schmidt, a former adviser to presidents Barack Obama and George W. Bush, also worked as a chief information security officer at Microsoft and eBay, and is a former president of the Information Security Forum. He lamented both the lack of public awareness on this issue—and the lack of accurate data.
“The FBI can tell us whether the residential burglary rate is going up or down, but we really have little idea about cybercrime. You hear numbers such as phishing is up 17 percent this year. But global Internet use could be up as much as 27 percent. So is the actual phishing rate rising or falling? What’s the success rate? It’s a classic example of the old axiom that you don’t know what you don’t know,” Schmidt said.
‘Moral Panics’ over Data Privacy
Schmidt’s erstwhile federal colleague Stewart Baker, former general counsel at the National Security Agency, decried what he calls “moral panics” that have vastly complicated the government’s task of managing, auditing, regulating and, yes, listening in on global data transmissions.
“The NSA is an intelligence agency that spies on people. Surprise! That’s what it does,” Baker said of the global media frenzy over disclosures that the federal agency collects and monitors “metadata” regarding trillions of phone calls, emails and other data transmissions.
Baker likened excessive privacy concerns to earlier moral panics over alcohol abuse and video games, and told the conference that the entire idea of a right to privacy dates back to a famous 1890 essay by Supreme Court Justice Louis Brandeis expressing alarm at the then-new widespread availability of cameras—the misuse of which Brandeis famously declared could cause “mental pain and distress far greater than mere bodily injury.”
“What a wuss!” Baker declared sardonically, drawing a line from Brandeis’ ideas to modern legal dilemmas, such as privacy laws that make it difficult for law enforcement agencies to find specific email identities. Thus, whether tracking terrorists or the global hackers whose denial-of-service attacks bring down financial institution websites and Internet shoe emporiums, law enforcement officials cannot act anywhere near as quickly as the bad guys, Baker said.
Tension Between Individual Interests and Organizations
While spying data imbroglios may not seem at first glance significant to information technology managers in business, the two-sided coin of privacy and security presents two similarly diametric but interlinked challenges—the more we require data protection, either organizationally or individually, the more difficult it becomes to identify and prevent data fraud and theft. But the more that data penetration occurs, the less privacy we all enjoy.
Data security managers are well aware, for instance, that the more complicated one makes passwords regulating access to protected accounts, the more likely users are to simply write them down on sticky notes pasted to bulletin boards, whether they work at a federal agency or a call center handling credit card information. That kind of behavior exposes them to old-fashioned “social engineering” theft, in which bad guys gain physical access to the information.
“We deal with this kind of conundrum all the time,” said conference attendee Jim Morey, a data protection manager at Microsoft. “It’s good to hear that big guns such as former top federal officials face issues similar to us here in the trenches of data protection.”
Morey especially endorsed the message that this field is changing every minute, and swift response is essential to data privacy.
“The bad guys are constantly innovating, and time is far more important now than in the past. When I was 12, I lost my wallet. I knew right then what was compromised—a few dollars, some pictures, my Boy Scout card,” Morey said. “Today, we all have pieces of electronic identity all over the Internet, all over the world. If somebody acquires important segments of that identity, it can take weeks, or days, or months to figure out exactly what’s compromised—and the damage can last for years.”
Microsoft Adopts ‘Privacy By Design’
The challenges of data protection have led Microsoft to employ 70 professionals, such as Morey, whose primary charge is data privacy.
“We practice what we call ‘privacy by design,’ in which the principles and practitioners are distributed throughout the organization,” Microsoft chief privacy officer Brendon Lynch told a conference work session. “Whenever data is handled, anywhere in the company, privacy is an issue directly at hand. Allowing individual initiative is very important.”
It makes sense to empower data privacy managers because privacy officers practice their profession in “a constant state of whiplash,” said IAPP president and CEO Trevor Hughes, echoing Morey’s observations.
“Every day, the legal vectors change. Every day, the business vectors change—new data, new ideas, new threats,” Hughes said. “If you are a person who treasures the status quo, this is not the profession for you. If change excites you, come join.”
Privacy Managers Deal with Rule Variances by Country
For example, Internet marketing managers are constantly expanding the vectors in which they follow customers. They are now beginning to try to track potential shoppers across the multiple devices so many people use these days—laptops, smartphones, tablets. Marketers would like to be able to identify someone who looks at a new pair of shoes using their MacBook, their iPhone and their Kindle, at home, at work and on the road—even when they walk into a brick-and-mortar retail store. But at each step, various jurisdictions and regulations, legal or voluntary, come into play. What if your customer is a Brazilian citizen working in the U.S. on a green card, traveling in the European Union and shopping online in Brussels? At the very least now, anyone accessing a website in the EU must be offered a dialog box allowing them to opt out of cookies.
“So, that means that I have to accept a cookie to opt out of cookies, right?” one audience member asked Vinay Goel, Adobe Systems privacy product manager, who had described the new customer tracking vectors.
Goel wryly admitted that was true. “You just have to ensure you stay up-to-date on all the regulations everywhere you operate,” Goel advised.
Lynch, Microsoft’s chief privacy officer, said that good privacy practices go beyond legal compliance.
“If your program is only focused on the law, you’ll be in a constant state of reaction,” Lynch said. “I think it’s necessary to step back and ask, ‘What does this company stand for?’ Focus on that proactively.”
And, one seasoned participant added, privacy executives need to be prepared for new information and challenges every day.
“Lots of coffee is very important,” advised Hilary Wandall, assistant vice president and chief privacy officer at Merck, the pharmaceutical giant.
Eric Lucas is a Seattle-based business and travel journalist.
Correction, Oct. 3, 2013: The original version of this story misstated the speaker who likened privacy concerns to earlier concerns about alcohol abuse and video games. It was Stewart Baker, not Howard Schmidt.