Online privacy: New rules for melding e-commerce and information

Online privacy, pro …

… And con

Others argue that privacy is not important. If one has nothing to hide, so this argument goes, there is no need for privacy. Online information is by nature public, not private, according to one argument against privacy. Moreover, it's claimed routine breaches of privacy are a necessary component of e-business, and commerce on the Web would shrivel and die without data collection.

More security and compliance resources Security and compliance can go together, when done in the right order Steps toward making information security as important as data security

It is the confluence of commerce and information that raises the issue of online privacy, though the average Internet user rarely thinks of it: The payment for public information is access to a website and a service. If one wants to have an account to use free email, listen to online radio or view videos, a person has to provide some information, such as his gender and age. People freely provide personal, professional and educational histories on social networking sites.

It is for the individual to decide whether the value received is commensurate with the value paid. What is important to information security generally, and the protection of privacy rights particularly, is the prevalent attitude toward the value of information, personally identifiable and otherwise.

Personal information and game scores

It is not just personal information that is being given away. Many people use their computers at work for personal purposes, such as (mea culpa) following the fortunes of their favorite baseball team. Perusing the privacy policy of just one such club (that has disappointed so much and so many this year that looking over the privacy policy could not hurt), one finds that in order to obtain unspecified personal services one might be asked for his "full name, street address, email address, telephone number(s) (e.g., home, work, mobile and/or fax) and birth date."

The team promises not to sell, lease or share this information, with the notable exceptions of its service providers, other baseball teams (even the crosstown Lords of Wickedness) and other partners that it may from time to time designate. The team then lets fans know its site will place cookies and Web beacons on their computers and collect all sorts of information. So, with all that, the Mets know who their fans are, where they work, when they are not working but checking out the ball scores, and the equipment they are using.

Many would say "So what?" to all of this. And that indeed is the argument against privacy altogether. No harm is done; the visitor receives something he presumably values, and there is nothing shameful in the information disclosed.

But this argument debases the value of information, including most importantly the value of the information that companies and individuals do feel is worth protecting. It is akin to saying that taking a dollar or two out of the cash drawer is no big deal. How much money is too much? How sensitive must data be to be too sensitive to disclose?

Lessons to be learned

There are significant lessons for those whose job it is to ensure compliance with privacy rules and legislation.

• The same employees who are insouciantly using company-owned systems to view seemingly harmless websites are creating a culture that undervalues information. This attitude must be combated with clear statements of what is and is not acceptable in regards to use of company systems and information about the company and its employees.

  The message should be that management is concerned not about a few innocent minutes spent on the Web but about the security and privacy of information.

  People will, to be sure, still follow the fortunes of their favorite teams, but if they are urged to check privacy statements and understand what they are doing, security and privacy overall will be enhanced. They should be taught to look for terms like cookies, Web beacons or third parties and be given a simple explanation of what those things are and why they are important.

• This need not be a wholesale awareness program. Many companies use content filters to prevent employees from surfing dangerous, immoral or resource-consuming websites. If, on a random basis, the filter were tuned to look for more innocuous sites (such as baseball team websites), individuals could be identified and spoken to. The objective of reaching out to individuals is not to chastise them (tone is all-important) but to educate. The message should be that management is concerned not about a few innocent minutes spent on the Web but about the security and privacy of information. That word will get around: Information security and compliance professionals should learn to use viral marketing.
• These same professionals should educate themselves on the scope of this very particular form of data leakage. The scope of the information being freely disclosed about their personnel and, by extension, their organizations, should cause some investigation, if not alarm. It is impractical to ban all external Internet access and it is likewise impossible to track the business nature of every website accessed. But they can be on the lookout for indications that some information has fallen into the wrong hands. These signs might include certain employees receiving unsolicited recruiting calls, vendors targeting specific managers or, worst of all, information about individual employees being used without their approval.
• Finally, everyone should give some serious thought to the value they receive by blithely giving away personal information. How many social networks, blogs or email services is one too many? If each person had to spend actual money on a Web service, would he or she pay it? And if so, how much?

Steven J. Ross, MBCP, CISSP, CISA, is founder and principle of Risk Masters Inc. Write to him at editor@searchcompliance.com.