Privacy is a topic we love to talk about but make little effort to practice.
Practicing privacy is in fact hard to do. Not only is the Internet is an information sharing medium, it is strongly commercially influenced as well. Commercial interests are well served by gathering data about user interests and behaviors: targeted marketing, promotions and even product evolution all benefit from private data collection. (For clarity, "private data" in this post includes personal identifying information, details about one's personal life, purchasing and personal interests...)
The ART of Collecting Private Data
Generally, we distinguish whether private data collection is beneficial, harmful or intrusive to users by assessing whether it satisfies accountability, responsibility, and transparency criteria (See "ART" inset at right). Unsurprisingly, public and comercial interest groups have conflicting views of how accountable, responsible and transparent data collection must be.
Conflicts over privacy have become too routine and they often follow a similar course. A data collector publishes or changes a privacy practice and is criticized as behaving intrusively (Facebook, Google), or a third party discloses a data collecting behavior that is condemned as abusive (CarrierIQ). Privacy advocacy groups raise awareness and either insist on change or lobby for legislation that would require greater transparency and accountability from data collectors.
In parallel, grass roots efforts by online safety and awareness raising organizations and experts advise users of privacy threats. These are valuable but they often follow the same methods and practice that the plethora of virus or malware removal articles do: lots of "what is..." and "how to..." but with little "why".
Extent of use.
While answering the "how" they fail to capitalize on the opportunity to drive home basic or first principles for private data protection. These are lost amid the many detailed explanations for adjusting privacy settings, installing browser plugins, and similar measures. Bombarding users with information overly complicates awareness raising.
Simplify the privacy message
Think of these principles as you prepare privacy awareness messages or training:
- Sharing is the opposite of "keeping private". There is no corollary to whispering a secret to a friend in cyberspace. Once you share or disclose any bit of information in cyberspace it is potentially public and will remain so forever.
- "Free" almost always comes at a cost to your privacy. Data collectors and social pressures make the temptation to accept free service in exchange for giving up personal data extremely hard to resist. If you can't resist, at least enter the contract with eyes wide open: there are virtually no circumstances where a giveway, free access or free use of an Internet service or social media site comes free.
- Respect for private data is critical to any commitment to share you make. Do some homework. Be confident that the party whom you are about to trust will respect your privacy before you share any information.
- Choose what you share wisely. There's no substitute or privacy setting that can compensate for poor judgment. Ultimately, you are accountable or responsible for the benefits or harm resulting from what you say, share or reveal.
Encourage those you train, family members, and friends to take ownership of private data.
If you enjoyed this post, you may want to read There Are Only Three True Privacy Threats.
Privacy goes beyond just your personal privacy. Many of us are charged with protecting the privacy of employees, co-workers, and customers. I have written a series of articles on monitoring your "online footprint" through Google Alerts. Please feel free to check out the articles.
The most recent article is at http://caffeinesecurity.blogspot.com/2012/01/monitoring-for-leaked-company-documents.html and contains links to the previous articles.
Posted by: Ken | Wednesday, 08 February 2012 at 01:03 PM