Research Released on Usability of Internet Privacy Tools

Researchers at Carnegie Mellon University released a study today titled, “Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising.”  ”All nine of the tools we tested have serious usability flaws,” said Lorrie Cranor, director of the CyLab Usable Privacy and Security Laboratory (CUPS). Read the full press release here.

A Timely Post on Privacy from Visa Privacy Lead Russell Schrader

Visa’s Chief Privacy Officer, Russell Schrader, writes about Visa’s approach to consumer privacy and why their customers’ privacy is one of their top concerns. Click here for the full post.

Microsoft Measures Consumer Online Safety Awareness

Congresswoman Marsha Blackburn (R-TN), a guest speaker at the Microsoft Digital Citizen event, applauded Microsoft’s efforts to quantify consumer perceptions of Internet safety, security, and privacy; while cautioning prescriptive interventions.  “Congress needs to adopt the philosophy of first do no harm, but only once you have a defined harm,” said Congresswoman Marsha Blackburn (R-TN). “We don’t know what consumers’ true expectations are going to be in a year from now, except to say that it is evolving.”

Microsoft’s Trustworthy Computing Group, which is focused on educating consumers about safe Web use, released its first annual Microsoft Computing Safety Index, at the event, revealing that consumers are taking steps to protect themselves, but there is room for growth.  Key findings:

 

 

“I look at the index [survey results] as a report card” and “I hope the index can serve as a baseline for measurement,” said Jacqueline Beauchere, Director of Trustworthy Computing at Microsoft.  Microsoft has created an abbreviated version of its index survey, which can be taken at www.microsoft.com/security/mcsi.

Chris Wolf Participates in ITU Telecom World in Geneva

FPF’s Chris Wolf is currently participating in the International Telecommunications Union’s Telecom World in Geneva. The International Telecommunications Union (ITU) is part of the United Nations and handles issues in information and communications technology. Chris is on a panel discussing cybersecurity challenges and was also invited to submit his paper The Role of Government in Commercial Cybersecurity: Public-Private Partnerships and Improvements in Government Data Security Rather Than Government Control as the Optimal ModelPlease enjoy Chris’ remarks that he will give today at the conference:

“Thank you for inviting me to speak with you today.

ITU Telecom World 2011 here in Geneva has brought together heads of state, leaders of government and international organizations together with corporate CEOs, mayors of top cities, thought leaders, innovator and researchers.  I am honored and humbled to be included among such an elite group.

And among the topics being explored here at the ITU gathering, perhaps none is as pressing as the issue of cybersecurity.  So I am especially pleased to be on this panel exploring that issue.

My part of this program, in contrast with the other presentations, has a truly “macro” focus: the role of government in achieving cybersecurity.

In the paper I prepared for this session, I observe that given the dramatic increase in cybersecurity incidents, some look to government to take control of the cybersecurity problem.   And in my paper, I have concluded that not only is government control not possible in most modern democracies, but it is not the best approach at all.

In my own country, the United States, there are restrictions on the government “taking charge” of the flow of information through network access, monitoring, and/or control, as well as the limitations of government technical capabilities.  As a result, US cybersecurity policy is collaborative, with the government working with industry to develop flexible standards rather than prescribing complex regulations. The result is a process-oriented, thematic approach to commercial cybersecurity that is more likely to produce optimal business practices.

Indeed, government control of cybersecurity is ill-advised even in non-democratic countries, such as China. I currently am examining the so-called MLPS proposals in China, which would require indigenous Chinese technology for cybersecurity, and am concluding that a restrictive and prescriptive approach to information security blocks the adoption of best available technology and practices.

After reviewing frameworks in the US, the EU and Asia, I have concluded that government’s principal role in protecting cyberspace is and should be through (1) law enforcement, (2) improvements to its own cybersecurity and sharing its research and experience with industry and the public, and (3) engaging in a public-private dialogue about cybersecurity through which it has incorporates suggestions from industry into cybersecurity policy.

I would like to talk about approach in the US, before some observations about the situation in the EU and Asia:

First, the United States’ approach to the security of its own internal government networks is relevant to the extent that the US government shares with industry some of its security standards. This, in turn, encourages commercial entities to follow the government’s own rigorous standards. Indeed, in some circumstances, commercial government contractors are required to follow those standards. As a result, the government leads in establishing some security standards.

A key component of the US government’s approach to commercial cybersecurity policy has been to facilitate a public-private dialogue that has enabled both government and industry to learn from each other’s experiences. For example, the US Computer Emergency Readiness Team (“US-CERT”), the operational arm of the National Cyber Security Division at the Department of Homeland Security is a public-private partnership that interacts with federal agencies, industry, the research community, state and local governments, and others to publish cybersecurity information. US-CERT also provides interested parties with the ability to communicate and coordinate directly with the United States government on cybersecurity.  From personal experience in assisting law firm clients in dealing with cybersecurity incidents, I can tell you that US-CERT plays an extremely useful role.

Perhaps the best example of the constructive role private entities can play in the public-private dialogue is the defenses mounted by private company security experts against the Conficker worm.

The Conficker worm, as you undoubtedly know, is one of the world’s most devastating pieces of malware that continues to baffle experts and has infected more than twelve million computers around the world, including those of the British Parliament and the French and German military. In November of 2008, a group of cyber warriors, who called themselves the “Conficker Cabal,” volunteered their time, and in some cases their own money, to identify, dissect, track, monitor and defend the Internet against this massive exploit. This episode is described in a new book by author Mark Bowden entitled “WORM The First Digital World War” and illustrates the role private parties can play in the private-public partnership.

Two other US developments to note before I move on to other parts of the world:

In March 2011, a broad coalition of business, civil liberties, and Internet security groups released a white paper that supports the continued use of public-private partnerships to address cybersecurity rather than have the government play a more prescriptive and intrusive role.  The paper, entitled “Improving Our Nation’s Cybersecurity through the Public- Private Partnership” emphasized the importance of collaboration between the private and public sectors but concluded that the complexities of the Internet and the sophistication of cyber-criminals made centralized control of the problem ill-advised.

And in June of this year, the US Department of Commerce issued a “Green Paper” preliminarily recommending a new framework for commercial cybersecurity entitled “Cybersecurity, Innovation and the Internet Economy.”  The report discusses how to improve the cybersecurity practices of companies that operate online in the so-called “Internet and Information Innovation Sector,” not including companies in “critical infrastructure” sectors that implicate national security interests.

The Department of Commerce Green Paper recommended (1) work with multi-stakeholder groups to develop, when necessary, nationally recognized and consensus-based cybersecurity standards and practices specific to the covered businesses; (2) work with industry to create, through public policy and public private partnerships and other means, new incentives for firms to follow nationally recognized cybersecurity standards and practices as consensus around them emerges; (3) work with industry and other federal agencies to deepen private-sector and public understanding of cybersecurity vulnerabilities, threats, and responses in order to improve incentives, research and development, and education; and (4) continue to enhance the Department of Commerce international collaboration and cooperation activities regarding cybersecurity.

Specifically, the Green Paper called for improved commercial cybersecurity through the use of voluntary self regulatory industry standards. It also contemplated the development of external incentives for businesses that institute strong cybersecurity practices, such as liability protection, improving the availability of cybersecurity insurance, and tax breaks. Notably, none of these methods would impose prescriptive regulations on businesses.

On the US approach to cybersecurity, let me conclude by saying that it is a work in process, as evidenced by the keen interest demonstrated by lawmakers on Capitol Hill this year.  But the general framework, a not overly-prescriptive and collaborative framework, is likely to remain the norm.

In the EU, member states have implemented privacy and data security laws pursuant to several directives of the European Parliament and Council, including the 1995 Data Protection Directive and the 2002 E-Privacy Directive.  These contain requirements pertaining to the processing and safeguarding of personal data and the confidentiality of electronic communications, which the member states have transposed into national law, and  while the directives contain detailed and extensive privacy and confidentiality requirements, their treatment of data security is less comprehensive.

Apart from these general principles, the directives says little with respect to data security. Given the generality of these requirements, the EU member states have had considerable flexibility in implementing the directives’ security mandates. As noted in recent reports by the European Network and Information Security Agency (ENISA)—an EU agency established in 2004 to enhance the capability of the member states and their business sectors to prevent, address, and respond to network and information security threats—this variance is not without costs in terms of addressing transnational issues such as cybersecurity.

In a March 2011 report on the threat posed by “botnets,” ENISA found that that the diversity of the member states’ legal frameworks in the context of cybercrime was a “key factor” affecting the fight against botnets. The report also noted that the detection and mitigation of cybercrime was limited by conflicts between the member states’ data protection and IT security laws. Among other recommendations, the report called upon regulators to harmonize European laws in order to facilitate mitigation processes and cooperation at an international level.

Just in time for my presentation today, ENISA recently issued a new guide with thirty-six recommendations on building effective Public and Private Partnerships for data security, called  “Cooperative Models for Effective Public Private Partnerships – Good Practice Guide.” ENISA recognized that across the EU, the critical infrastructure of most member States is in the hands of the private sector and, therefore, to provide secure and reliable system access for citizens and businesses, industry and governments must work together.  The ENISA Guide underlines the need for a common understanding across Europe of the importance of a public-private partnership.

Finally, turning to non-European countries,  APEC, the group of nations addressing Asia-Pacific Economic Cooperation, has made cybersecurity a priority.  In the APEC TEL Strategic Plan for 2010 to 2015, there is a commitment to promote the development of effective cyber security initiatives, in accordance with the APEC Cybersecurity Strategy and the APEC Strategy to Ensure Trusted, Secure and Sustainable Online Environment, including through distribution of best practice approaches, information sharing, technical cooperation, training and education.

Governments and business of the world, from the US, to the EU to Asia, recognize the urgency of cybersecurity for national and international health, welfare and economic growth.

There is a convergence in approach internationally, one that recognizes that governments do not have all of the answers – that they cannot and should not prescribe the technologies to defend computer networks.  There is a role for government, to be sure – in law enforcement, in leading by example, and in facilitating research and incentives for information security development.  There is a growing recognition that governments working together with industry, through public-private partnerships can help advance cybersecurity significantly.

Thank you very much.”

French Gathering of Global Govt & Bus Leaders Focus on Privacy

 

By Chris Wolf, FPF Founder and Co-Chair

On October 21st, I was invited by the French Minister for Industry, Energy and the Digital Economy, Eric Besson, to participate in a seminar on the future of the Internet in Paris. The privacy session was entitled “Reconciling the Internet business model and respect for privacy” and billed as follows:

Since the appearance of data processing tools more than four decades ago and the introduction of personal data files, States have acquired both tools and organizational structures in order to protect their citizens’ privacy. These include strict legal and regulatory frameworks, guidelines (like those of the OECD), the appointment of privacy-protection authorities, and the development of “privacy by design” technologies and applications.

Moreover, the use of personal data is a complex issue today, given the number of intermediaries involved in an Internet-based transaction, and given the arrival of cloud computing. Cross-border flows of personal data are today widespread, given the global nature of the Internet.

These shifts are overturning the relationship between personal data held by individuals and organizations. Given these challenges and conflicting interests, we need to strike the right balance between the right to privacy and the Internet’s business model.

How can we give individuals permanent control over their personal data on the Internet, particularly given the explosion in the use of social networks, without hampering the growth of the digital economy? What are the best practices to avoid using personal data for commercial purposes, without individuals’ consent? What initiatives can be taken in terms of international cooperation?

I was asked to be the first intervener following a presentation by this panel of government officials and business representatives:

Simon Kennedy, Vice—Minister for Industry – Canada

Igor Shchegolev, Minister of Communications and Mass Media – Russia

Yong Sup Shin, Commissioner, Korean Communications Commission

Ed Vaizey, Minister of Culture , Communications and Creative Industries – United Kingdom

Esko Aho, Executive Vice-President, NOKIA

Simon Davies, PRIVACY INTERNATIONAL

Herman Heunis, Founder and CEO , MXit

Denis Jacquet, Chairman, YATEDO

Elliot Schrage, Vice-President of Global Communications, Marketing and Public Policy, FACEBOOK

Moderator: Shrrry Contu, UK-based Entrepreneur

The government officials uniformly stressed the need for a light regulatory touch (what former Finland Prime Minister and NOKIA representative called “smart regulation”).   Still, there were repeated references to the need for businesses to adopt self-regulation and follow principles of Privacy by Design (the concept originated by Ontario DPA Ann Cavoukian and highlighted at the conference by the Canadian Minister). The Russian Minister expressed his government’s commitment to Internet privacy.  M. Jacquet stressed the importance of consumer education.  Elliot Schrage highlighted the granular tools available to Facebook users to control their data, and the fact that Facebook does not share personal data with third parties.  The other industry representatives highlighted some of their best practices.  And Simon Davies of Privacy International sounded the only slightly negative note of the panel, questioning whether Privacy by Design was more than just a slogan, and challenging Facebook on its privacy protection.

Notably, one of the more important policy questions on the agenda, “What initiatives can be taken in terms of international cooperation?” was addressed only in passing.

Thus, when I was called upon, I praised the panel for highlighting the importance of sharing best practices and for recognizing the role of limited regulation combined with private sector responsibility. Still, I urged the panel and the few Data Protection Authority representatives in the audience, mostly from the French DPA — the CNIL, to focus more on the convergence internationally in privacy protection and less on the differences in national frameworks.  I mentioned how Fair Information Practice Principles, reflected in the OECD guidelines, underlie all modern privacy protection regimes.  And I mentioned how concepts of Privacy by Design, Codes of Conduct, Accountability, cross-border enforcement, the rise of the Chief Privacy Officer profession and the international sharing of best practices (such as data breach notifications and new ways to notify and empower consumers) were far more important in an interconnected/cloud computing world than the perceived superiority of a national framework.  Finally, I noted the extreme cost that framework superiority rules impose on businesses in countries deemed not to have the identical protections as a national framework, and that the cost ultimately is borne by consumers.

 

EuroPriSe Expert Workshop, November 2011

Participate in the EuroPriSe Expert Workshop held on Nov. 23-25 and acquire the skills necessary to compose a EuroPriSe Evaluation Report and qualify as a EuroPrise Privacy Expert. International privacy experts are invited to take the certification exam to receive the accreditation to become expert reviewers. EuroPriSe is a government-backed European privacy seal; an initiative of the data protection authority of Schleswig-Holstein (ULD), Germany. Register here.

Jules Polonetsky’s KRLD Radio Interview on Online Privacy

On Tuesday October 18, FPF’s Jules Polonetsky spoke with Mitch Carr from KRLD Radio broadcasting out to Dallas and Fort Worth, Texas about online privacy and the current state of Do Not Track. Please click here to listen to the clip.

December 5th Privacy Conference

The Future of Privacy Forum Presents

Personal Information: The Benefits and Risks of De-Identification

On December 5, 2011, leading academics, advocates, Chief Privacy Officers, legal experts and policymakers will gather to discuss and debate the benefits and risks of de-identification and the definition of personal information. Please join us for this discussion of one of the most central issues for the future of privacy, data use and innovation.

Please click here (link expired) to register to attend in person or receive log-in information for our live-blog and twitter feed.

Where:

The National Press Club

Murrow Room

529 14th Street, NW

Washington, DC 20045

Agenda:

9:00 – 9:30 am – Opening Presentation: How is De-Identified Data Used: Overview of the ways de-identified data is used in the areas of health, marketing, traffic management, and fraud.

9:30 – 10:30 am – Panel 1: What are the Risks? De-Identification and Re-Identification Risk Analysis.

Panelists:

Moderator: Kim Gray, Chief Privacy Officer, IMS Health

10:30 – 11:30 pm – Panel 2: Common Secondary Uses of De-Identified Data: How are companies or governments using data? What are the Benefits? How are the Risks Being Handled Today?

Panelists:

Moderator: Marcy Wilder, Partner, Privacy and Information Management, Hogan Lovells

11:30 – 12:30 pm – Panel 3: Data Use for Consumer Services

Panelists:

Moderator: Lance J. Hoffman, Distinguished Research Professor, Computer Science Department, Director, Cyber Security Policy and Research Institute, The George Washington University

12:30 – 1:30 pm – Keynote Luncheon with The Honorable Louis W. Sullivan, MD, Former Secretary, U.S. Department of Health and Human Services

1:30 – 2:30 pm – Panel 4: Advertising and Marketing Uses and Concerns

Panelists:

Moderator: Jules Polonetsky, Director and Co-Chair, Future of Privacy Forum

2:30 to 3:30 pmPanel 5: Legal Perspectives on Anonymization

Panelists:

Moderator: David Hoffman, Director of Security Policy and Global Privacy Officer, Intel

Special Thanks to our Partners:

*This is a preliminary program and is subject to change.

No fee to attend, but advance registration is required. Space is limited, so register now!

For questions, email [email protected].

More Companies Need to Get on the Privacy Bandwagon

FPF Co-chairs Chris Wolf and Jules Polonetsky presented today at the Online Trust Alliance (OTA) Forum. Wolf moderated the panel, “View from the Hill; Legislation Landscape & Regulatory Concerns- Looking into the Crystal Ball.” The panel captured the view that while there will most likely be no privacy and data stewardship legislation this year, self-regulatory organizations certified by the FTC may play a greater role. In a separate panel on competing best business practices, Justin Brookman, Director at the Center for Democracy & Technology (CDT) advocated for baseline privacy legislation based on the notion that “without standards, it is really hard for companies to compete on privacy.” “There should be industry wide standards. We can’t expect any one actor to be the good guy,” Brookman said. Fran Maier, President of TRUSTe, stated that the current standard is similar to a “carrot and stick approach,” where the threat of the stick through compliance efforts has motivated positive changes in the industry. “But, there are still a lot of companies that haven’t been taking initiative,” she said.

Controlling Your Reputation in a World that Holds No Secrets

Please click here to read a piece by FPF’s Christopher Wolf on the steps consumers can take to protect their online reputation.