Privacy on the web, or the lack thereof, has been a major discussion item in 2010 and this was reflected by ReadWriteWeb who have decided privacy was one of the top trends of 2010. I have written about Privacy a number of times last year (see www.jranger.com) most notably a guest post on TechCrunch where I proposed a clear definition of privacy levels and some fundamental principles and subsequently in a guest post on Chinwag where I talked about the need for some form of privacy certification that was understandable by the layman. On this latter point I gave a presentation to the British Computer Society (BCS) Information Security Specialist Group (ISSG) on 1st December - this is included below.
The key point in the presentation is that the desire for privacy is NOT different in the digital and physical worlds. The presentation then explains that privacy principles can be simply explained and proposes that the levels and principles I have defined previously be used as the basis for a web privacy certification process.
I am sure that there are modifications to these levels and privacy principles that would make them better and clearer and I would welcome any comments to that effect (or any comments at all). It is important in my view that the proposal is as simple to understand as the two check boxes used on so many physical forms (Slide 9 of the presentation) - there are many layers to the Privacy issue; this is simply the base layer, but all the more important for that.
3. Introduction
• We jealously guard our privacy in the physical world, but seem
more relaxed in the digital world
4. Introduction
• We jealously guard our privacy in the physical world, but seem
more relaxed in the digital world
• Are we really?
• Or is this a manifestation of our lack of understanding?
• A lack of CLARITY regarding digital privacy
9. Facebook example
• Search for friends
• Friend request
• Friend accepts
• VERY STRONG implication
that communication is
therefore only between
friends
10. Facebook example
• Search for friends
• Friend request
• Friend accepts
• VERY STRONG implication
that communication is
therefore only between
friends
• But the default privacy is
very open
• Disingenuously so
12. “The internet changes everything”
• The internet and web services changes what we can do
13. “The internet changes everything”
• The internet and web services changes what we can do
• But does it change our deep rooted attitudes to privacy?
• Whether we are closed, open or in-between
14. “The internet changes everything”
• The internet and web services changes what we can do
• But does it change our deep rooted attitudes to privacy?
• Whether we are closed, open or in-between
• Suggest that the DESIRE for privacy does NOT change
between the physical and digital worlds
15. “The internet changes everything”
• The internet and web services changes what we can do
• But does it change our deep rooted attitudes to privacy?
• Whether we are closed, open or in-between
• Suggest that the DESIRE for privacy does NOT change
between the physical and digital worlds
• “You’re a broadcast medium whether you like it or not”
• Why?
• Surely I can choose
• Privacy is often traded for free services, but I should
CHOOSE to do so KNOWINGLY
18. Harm
Ethical Grey Unethical Illegal
Spectrum
Public Interest List Unsolicited Phone
Physical Gossip
Privacy Invasion Selling Calls
Libel
Tapping
Assault
World
Mug ID
Fraud
Targeting Theft
19. Harm
Ethical Grey Unethical Illegal
Spectrum
Public Interest List Unsolicited Phone
Physical Gossip
Privacy Invasion Selling Calls
Libel
Tapping
Assault
World
Mug ID
Fraud
Targeting Theft
Digital
World
20. Harm
Ethical Grey Unethical Illegal
Spectrum
Public Interest List Unsolicited Phone
Physical Gossip
Privacy Invasion Selling Calls
Libel
Tapping
Assault
World
Mug ID
Fraud
Targeting Theft
Digital
World
21. Harm
Ethical Grey Unethical Illegal
Spectrum
Public Interest List Unsolicited Phone
Physical Gossip
Privacy Invasion Selling Calls
Libel
Tapping
Assault
World
Mug ID
Fraud
Targeting Theft
Digital Self
World Harm
22. Harm
Ethical Grey Unethical Illegal
Spectrum
Public Interest List Unsolicited Phone
Physical Gossip
Privacy Invasion Selling Calls
Libel
Tapping
Assault
World
Mug ID
Fraud
Targeting Theft
Digital Self
World Harm
Permanence
Ease of Search
23. Harm
Ethical Grey Unethical Illegal
Spectrum
Public Interest List Unsolicited Phone
Physical Gossip
Privacy Invasion Selling Calls
Libel
Tapping
Assault
World
Mug ID
Fraud
Targeting Theft
Digital Self
World Harm
Permanence
Ease of Search
Legislation
Zone
24. Harm
Ethical Grey Unethical Illegal
Spectrum
Public Interest List Unsolicited Phone
Physical Gossip
Privacy Invasion Selling Calls
Libel
Tapping
Assault
World
Mug ID
Fraud
Targeting Theft
Digital Self
World Harm
Permanence
Ease of Search
Awareness Legislation
Zone Zone
26. “The internet changes everything” - 2
• Yes it does change some aspects, for example
• Greater opportunity for self-harm
• Data persistence
• Ease of search
27. “The internet changes everything” - 2
• Yes it does change some aspects, for example
• Greater opportunity for self-harm
• Data persistence
• Ease of search
• But does it change our deep rooted attitudes to privacy?
• Whether we are closed, open or in-between
29. “The internet changes everything” - 3
• It does change what we can do
• e.g. information discovery
• e.g. use of Twitter for Broadcast
• e.g. Cloud services
• Some users use new capability to over-share
• Some do so deliberately - they did before digital too
• Contend the majority do not do so knowingly
• Web sites are deliberately disingenuous
• e.g. previous FB example
• They wouldn’t need to if privacy desire had truly changed
32. Statistics, lies & damned lies
• No clear statistics
• TNS survey in 2009
• Respondents self-selected so I perceive probability of
knowledge higher than average user
• 75% said know how to protect their personal info online
• but only 39% do so consistently
• and despite knowledge 35% felt privacy had been invaded
or violated in the last year
33. Statistics, lies & damned lies
• No clear statistics
• TNS survey in 2009
• Respondents self-selected so I perceive probability of
knowledge higher than average user
• 75% said know how to protect their personal info online
• but only 39% do so consistently
• and despite knowledge 35% felt privacy had been invaded
or violated in the last year
• Suggests a clear need for education first
• and simple clear definitions
• that the AVERAGE internet user can understand
34. Difficult?
• We are all now familiar with the standard 2 check boxes on
forms:
• Not too technical
• Doesn’t discuss how things are done
• Nor shrouded in legalese
37. An example
• I buy a phone from O2
• I make calls on that phone privately to others for a year
• All is good
38. An example
• I buy a phone from O2
• I make calls on that phone privately to others for a year
• All is good
• Then O2 change their terms and conditions
• Unilaterally share all my phone calls from the last year with
everyone
39. An example
• I buy a phone from O2
• I make calls on that phone privately to others for a year
• All is good
• Then O2 change their terms and conditions
• Unilaterally share all my phone calls from the last year with
everyone
• It just wouldn’t happen
40. An example
• I buy a phone from O2
• I make calls on that phone privately to others for a year
• All is good
• Then O2 change their terms and conditions
• Unilaterally share all my phone calls from the last year with
everyone
• It just wouldn’t happen
• So why then is that acceptable behaviour from major web
businesses?
• We need simple, clear basic privacy principles which users
can understand, and reputable sites conform to
41. Harm
Ethical Grey Unethical Illegal
Spectrum
Public Interest List Unsolicited Phone
Physical Gossip
Privacy Invasion Selling Calls
Libel
Tapping
Assault
World
Mug ID
Fraud
Targeting Theft
Digital Self
World Harm
Permanence
Ease of Search
Legislation
Zone
42. Harm
Ethical Grey Unethical Illegal
Spectrum
Public Interest List Unsolicited Phone
Physical Gossip
Privacy Invasion Selling Calls
Libel
Tapping
Assault
World
Mug ID
Fraud
Targeting Theft
Digital Self
World Harm
Permanence
Ease of Search
Awareness Legislation
Zone Zone
43.
44. It is of course more complicated ...
The Real Life Social
Network by @padday
But that is the next layer of detail
46. Minimum basic privacy principles
• We are clearly told at which privacy level a service operates at
Identified 223 tracking
files/programs
47. Minimum basic privacy principles
• We are clearly told at which privacy level a service operates at
Identified 223 tracking
files/programs
• The privacy level cannot be changed on us without us knowing
48. Minimum basic privacy principles
• We are clearly told at which privacy level a service operates at
Identified 223 tracking
files/programs
• The privacy level cannot be changed on us without us knowing
• We have an ability to have our information deleted should we
so wish it
• Retracting permission should be as easy as giving it
49. It is of course more complicated ....
• Copyright in self
• Who owns derived data
• How retract data already passed on
• ....etc
50. It is of course more complicated ....
• Copyright in self
• Who owns derived data
• How retract data already passed on
• ....etc
But again that is another layer of detail
51. How?
• Enshrined in some manner of certification
• Privacy certification bodies exist today; however,
• Don’t have simple principles
• Primarily check site does what Privacy policy says, not
mandating minimum
• Facebook has a TRUSTe certificate for example
• Question as to whether quick to retract certificate
• Some statistics imply that those with certificates are MORE
likely to breach their own privacy principles!
53. Appetite for change?
• Privacy and digital business can co-exist
• Even with issues with TRUSTe model, they claim new web
sites get a 20% better retention/sales with their logo
• Not everything has to be free
54. Appetite for change?
• Privacy and digital business can co-exist
• Even with issues with TRUSTe model, they claim new web
sites get a 20% better retention/sales with their logo
• Not everything has to be free
• World Wide Web
• If we as industry don’t address issue Governments will
• Legislation not universal
• Fracturing of web
• inhibits innovation
57. • Internet, Web, Web 2.0 brings many benefits
• Privacy is a critical issue
• Must be addressed
• Simply & clearly
• But doesn’t have to stifle those benefits
58. • Internet, Web, Web 2.0 brings many benefits
• Privacy is a critical issue
• Must be addressed
• Simply & clearly
• But doesn’t have to stifle those benefits
• Privacy in the digital world must be about informed consent as
it is in the physical world
• Expectation and right to privacy by default
59. • 6 simple privacy levels • 3 Privacy principles?
• We are clearly told at which
privacy level a service
operates at
• The privacy level cannot be
changed on us without us
knowing
• We have an ability to have our
information deleted should we
so wish it
• Retracting permission should
be as easy as giving it