Monday, April 24, 2006

There Ought to be a Law...

Put the emphasis on the "a" in that title. A law, not 50 different laws.

I'm talking about federal privacy breach legislation. California's SB 1386 broke important new ground when it went into effect, and as we've already discussed here, that landmark law has had national impact over the last 14+ months. However, where SB 1386 rolled back the curtain on information security, exposing a serious and very real problem with the stewardship of private data, the 22 (at last count) states that have followed suit have done little more than complicate the situation. As organizations work to determine how to comply with the various aspects of each state's nuanced take on breach notice, the likelihood that loopholes will be exploited to prevent costly and, these organizations will argue, unnecessary notification, each new state law will be counterproductive in the aggregate.

It's clear to me that an overarching federal law is necessary to clear up the confusion, establish a single national standard, and simplify the process for everyone - businesses and consumers alike.

From a communications perspective, I'm surprised to see how few companies have stepped out with an opinion on this issue. Consumer-facing organizations with a stake in this issue seem reluctant to speak out for fear of sounding anti-consumer. Software vendors and consultancies with a compliance play have been largely silent on this issue as well, perhaps not wanting to seem mercenary in their objectives.

But it doesn't have to be that way.

Joseph Ansanelli, CEO of data protection player Vontu, has been active on this issue for a number of years, testifying before Congress and offering a thoughtful perspective that can be seen in this opinion piece recently published in the Cyber Security Industry Alliance newsletter.

Ansanelli gets bonus points for the fact that he's not a Johnny-come-lately to this issue, which isn't often the case with cause-of-the-day communications, the public relations equivalent to ambulance chasing. I've followed Vontu for a number of years, going back to my earliest work with the IAPP, and have had the privilege of working with them on a few projects recently, so I guess I'm a little biased, but as a comms consultant and also a privacy geek, I've seen the rush to adopt the latest buzzwords and a lot of companies' ham-fisted approach to this "strategy" can have the opposite effect, undermining credibility.

Vontu's credibility comes from their consistent and clear long-term commitment to the issue of data protection.

Recommendation: More organizations, especially startups, can learn from this approach. Most of the companies I've worked with over the years have been possessed of a clear passion for solving problems, but lack the patience that is necessary to wait for their evangelical efforts to pay off. Whether the pressure to build a high media profile comes from investors or from a "grass is always greener" mentality, results not realized in six (or fewer!) months are considered as evidence of failure and the search is on for a new cause du jour. That can be a mistake, especially in cases where the original passion of a founder may simply be early in the development phase. Trusting in instinct may involve a serious test of patience, but commitment to the truth is a long-term strategy.

Monday, April 10, 2006

Trend Setting Me

Is it mere coincidence that, within a few short days of discussing RFID and privacy in this very forum, MIT has launched a website where those very issues will also be examined?

Probably, but give an easily bruised ego a break, will ya?

The site is a joint venture between the august tech school and access control vendor/developer HID Global.

As of this moment the site is populated mostly with base-line information on RFID, with no active dialog underway. I expect that will change in the near future.

Keep your eyes peeled.

Thursday, April 06, 2006

Tabs and Tags

Getting back to the issue of RFID, I attended the IAPP’s Boston KnowledgeNet meeting yesterday afternoon, on the subject of “The Language of Privacy.”

Jean-Paul Hepp, CPO with pharmaceutical giant Pfizer, was one of the speakers. Mr. Hepp discussed a number of the privacy issues he faces every day, including the sensitivities of marketing medicines to those who might benefit from their use. Perception, as you might imagine, is a huge issue, and pharma companies must take extra care to ensure patient privacy is protected.

The ways in which this is accomplished is a discussion for another post. Suffice to say it is a complex and fascinating process.

I asked Mr. Hepp about the challenges Pfizer faces relative to the use of tagging medicines. His answer, in which he gave a brief history of the genesis of Pfizer’s use of RFID, was illuminating.

The popularity of Viagra, and the flood of counterfeit products, prompted Pfizer to adopt RFID as a means of implementing quality control as well as to identify fake pills from the real thing.

Of course, the tandem of a sensitive medical issue – erectile dysfunction – and the issue of a technology that can reportedly be used to spy on people results in a volatile combination, and Hepp told of the frustration in dealing with the so-called advocates who used Pfizer’s RFID program as the fulcrum in an anti-RFID campaign.

Guess who the most vocal advocate was? If you said CASPIAN, congratulations: you’ve obviously been paying attention.

Cost and practicality dictate that tagged medicine not go beyond the pharmacy shelf. When medicines are sold to individuals, pills are transferred to amber pill bottles.

Observation: There is a compelling case here for Pfizer to take their message to the public and explain the benefits of their anti-counterfeiting program to the public. A quick and unscientific search for information on this issue reveals an abundance of coverage, but the overwhelming majority of publicity is found in technology trade publications, pharmaceutical industry publications, and other non-consumer outlets. Reaching out to a broader consumer audience is important here in order for Pfizer to establish rapport with potential customers and to build trust with that important audience.

Tuesday, April 04, 2006

Spy(ware) vs. Spy(ware)

Isaac Scarborough, of Chapell & Associates, wrote about the Workshop on Spyware that convened recently at the Information Law Institute at New York University.

I wasn’t able to attend the workshop, but I have a strong interest in the subject: one of my clients is beleaguered adware vendor Direct Revenue.

Scarborough chronicles one of the workshop’s panel discussions on what to do about spyware and commented that the discussion wasn’t as much about what spyware is as it was about how to stop it.

The obvious problem with this approach, however, is found in the lack of a broadly accepted definition of spyware. Scarborough mentions that panel moderator, NYU Law professor Harry First, joked about the "malleability" of the language used to describe spyware.

But that malleability is precisely what is at the heart of the adware/spyware debate.

The American Heritage Dictionary defines spy thusly:

Noun: (spī) Inflected forms: pl. spies (spīz)
1. An agent employed by a state to obtain secret information, especially of a military nature, concerning its potential or actual enemies. 2. One employed by a company to obtain confidential information about its competitors. 3. One who secretly keeps watch on another or others. 4. An act of spying.

It would follow, logically then, that spyware would be defined as some type of software or device that obtains secret information. Keyloggers, Trojan horses, dialers and other means of collecting an individual’s personal information clearly fall within that definition. Adware, however, is where the lines get blurry.

Ad serving applications that merely show a few pop-ups per day, usually in exchange for the privilege of using some free software product, typically don’t fall under this category. Rogue distributors of adware may well exploit browser security vulnerabilities to illegally upload bundles of adware in order to engage in click fraud – often resulting in serious performance degradation and a debilitating deluge of pops – but the problem has nothing to do with spying.

Some “advocates” take advantage of the lack of a clear definition of the term spyware to whip up fear and foment negative emotion. Meanwhile, organizations intent on tapping into the lucrative online marketing industry through the use of behavioral marketing and ad serving technology are hampered by the stigma associated with their craft.

Observation: To be clear, unauthorized/non-consensual downloads cannot be allowed to happen without some form of retribution, and illegal activity must be punished appropriately, but until the industry adopts and supports clear definitions for spyware and adware, no one (but the lawyers and fear-mongers) will win. Defining the issue in clear terms, and aggressively defending those terms by calling out misrepresentation of the problem to suit the needs of any particular entity, is the first step in confronting the illegality and dangers of spyware.