The Impact of Situational Privacy
Pop quiz today!
Which of the following situations is a violation of privacy:
A national retailer utilizes purchases you make with them to send you advertisements about products you might enjoy or need.
A reputable search engine utilizes data about you from previous searches and other products to better tailor its content to your needs.
A government entity utilizes data in the public domain to hone in on potential criminals.
If you answered anything but "it depends" on this quiz, you haven't been following the nuances of the privacy debate.
Let's get a little deeper into each of these examples for just a moment:
In 2012, Target came under media scrutiny for using data analytics to predict which of its shoppers might be pregnant. The retailer then began sending coupons to those shoppers for things like baby clothes, strollers, etc. The story made news when one Minnesota father noticed that his teenage daughter was receiving these materials. The irate father marched into a local Target, demanding to see a manager, and accused the retailer of attempting to encourage his daughter to get pregnant…only to find out from his daughter that she was, indeed, already pregnant. Target's analytics had identified her pregnancy before her own father had known.
In 2014, Amazon.com celebrated its 20th birthday. One of the features this massive online retailer is known for is utilizing knowledge of your shopping habits to send you advertisements about products and services which you might enjoy. As of this year, Amazon is exploring pushing the envelope around this concept and has taken a patent out on what it is describing as "anticipatory shipping." Utilizing the data it already has about you, the mega-retailer intends to just start sending you items which it believes you want before you purchase them, arguing that the success rate of its algorithms is such that the number of returns would not exceed the benefits reaped by this level of customer service.
Several years ago, people started noticing that their search engines -- in particular, Google -- were displaying different sets of results for the same question. Upon further exploration, people discovered (realized) that most search engines utilize data from your location and your browser history to better customize answers for you. Providing such customization makes it easier to retrieve more meaningful results for the consumer which shortens search time…and also makes it easier to tailor advertisements to the consumer that s/he might be interested in. The downside, of course, is that it may also be masking important yet contradictory information that is relevant to the individual's search -- thus reinforcing research bias. (Note: you can turn off "search customization" (as Google refers to it), but it's difficult to find out how if you go onto their support site. The link above also provides information on how to disable search customization relatively easily.)
In June 2013 Edward Snowden exposed the NSA's domestic cellular collection program. The general public was outraged that the government would utilize cellular metadata (such as location information) to spy on its citizens; however, these same citizens exhibited no qualms about carrying a device which regularly broadcasts location nor the use of that location data by other governmental entities and agencies.
The examples above are illustrative of the complexity around privacy. Gone are the days when we could simply state that "<x> data is private"; indeed, we are moving more to an environment of "situational privacy" where the data itself isn't as much an issue as how the data is used. Consumers freely and openly volunteer exabytes of data on a daily basis for seemingly innocuous transactions…yet they are regularly shocked and angered as this data is combined with other seemingly innocuous (and freely given) pieces of data to provide predictive intelligence to marketers, corporations…and yes, to government entities.
As security professionals, we are becoming more embroiled in the debate around privacy. Remembering that privacy itself is impossible without appropriate security controls, the situational nature of data mining and appropriate data usage makes the protection equation daunting. Do we wrap a cocoon of Pentagon-level protection around the data lake, even though 99% of the data within it is considered publicly available? Do we inject ourselves into the data analytics process and become part of the arbitration question re: should we use the data in a certain fashion? Can we monitor and limit/restrict data combination similar to the way in which systems can monitor separation of duties access control issues?
Let's take it a step further. Remembering that corporate data analytics seeks to (among other things) improve the sales cycle and make marketing campaigns more efficient, imagine the implications if the bad guys choose to take such an approach. Consider: your systems are penetrated and data is stolen…but none of the data is regulated by current privacy law or regulation. Six months later, the bad guys run data analytics against the acquired data and determine the best targets for fraud or scam. You protected the data and your borders reasonably and can show a tiered approach to your controls…and those controls were appropriate for your environment…you even prevented the breach from reaching the most sensitive data stores…yet data stolen from you was used to target your customers in the same manner that your marketing and sales team target prospects. Imagine the liability issues that will circulate through the courts.
As your organizations recognize the value of the data it holds, it is important that we as security professionals remind people of the larger risk & privacy landscapes out there. We cannot rely solely on the legal/regulatory framework to guide us as the potential brand risks go beyond what the hodgepodge of privacy regulations currently address. In most cases, you as the will be the first person to bring these concerns to light and as such will risk the possibility of being initially portrayed as naysayers…but more often the security warrior ends up prognosticating future risks and challenges looming on the horizon. As we continue to enable our businesses we must ensure that the aforementioned questions -- and dozens more -- are acknowledged and addressed by our business leaders.
My two cents…